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The  inability  to  produce  the  data  needed  to  efficiently  and  effectively 
manage  the  day-to-day  operations  of  the  federal  government  and  provide 
accountability  to  taxpayers  historically  has  been  a  major  weakness  at  most 
of  the  largest  federal  agencies.  The  central  challenge  in  generating  such 
data  is  overhauling  inadequate  and  outdated  accounting  and  financial- 
related  management  information  systems.  To  help  focus  attention  on  this 
challenge,  the  Congress  passed  the  Federal  Financial  Management 
Improvement  Act  of  1996  (FFMIA),'  which  requires  the  24  major 
departments  and  agencies  named  in  the  Chief  Financial  Officers  (CFO)  Act 
to  implement  and  maintain  financial  management  systems  that  comply 
substantially  with  (1)  federal  financial  management  systems  requirements, 
(2)  applicable  federal  accounting  standards,  and  (3)  the  U.S.  Government 
Standard  General  Ledger  (SGL)^  at  the  transaction  level. 


'Title  VIIl  of  Public  Law  104-208  is  entitled  Federal  Financial  Management  Improvement  Act 
of  1996. 

T’he  SGL  provides  a  standard  chart  of  accounts  and  standardized  transactions  that  agencies 
are  to  use  in  all  their  financial  systems. 
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Results  in  Brief 


FFMIA  requires  auditors  to  report,  as  part  of  their  audit  reports  on  the 
agencies’  annual  financial  statements,  whether  their  respective  financial 
management  systems  comply  with  FFMIA’s  requirements.  FFMIA  also 
requires  that  we  report  annually  on  FFMIA  implementation  by  October  1  of 
each  year.  Our  annual  report  addresses  (1)  compliance  of  CFO  Act 
agencies’  financial  systems  with  FFMIA’s  requirements,  (2)  agencies’  plans 
to  bring  their  systems  into  compliance,  and  (3)  other  efforts  to  improve  the 
government’s  financial  management  systems.  Last  year,  we  issued  the  third 
of  our  annual  reports  under  FFMIA,  which  covered  fiscal  year  1998.^ 


For  fiscal  year  1999,  auditors  for  21  of  the  24  CFO  Act  agencies  reported 
that  the  agencies’  financial  systems  did  not  comply  substantially  with 
FFMIA’s  requirements — federal  financial  management  systems 
requirements,  applicable  federal  accounting  standards,  and  the  SGL.  These 
results  were  similar  to  those  for  fiscal  years  1997  and  1998.  As  a  result,  the 
vast  majority  of  agencies’  financial  management  systems  fall  short  of  the 
CFO  Act  and  FFMIA  goal  to  provide  reliable,  useful,  and  timely  information 
on  an  ongoing  basis  for  day-to-day  management  and  decision-making. 
Reasons  for  systems’  noncompliance  include  nonintegrated  systems, 
inadequate  reconciliation  procedures,  noncompliance  with  the  SGL,  lack  of 
adherence  to  accounting  standards,  and  weak  security  over  information 
systems. 

Although  the  financial  management  systems  of  most  agencies  do  not  yet 
comply  with  FFMIA’s  requirements,  the  number  of  agencies  receiving 
“clean”  or  unqualified  audit  opinions^  is  increasing.  Fifteen  of  the  24  CFO 
Act  agencies  received  unqualified  audit  opinions  on  their  financial 
statements  for  fiscal  year  1999,  up  fi'om  12  in  fiscal  year  1998  and  11  in 
fiscal  year  1997.  Auditors  of  12  of  the  15  agencies  that  received  unqualified 
opinions  reported  however  that  the  agencies’  financial  systems  did  not 
comply  substantially  with  FFMIA’s  requirements  in  fiscal  year  1999. 


^Financial  Management:  Federal  Financial  Management  Improvement  Act  Results  for  Fiscal 
Year  1998  (GAO/AIMD-00-3.  October  1. 1999). 

%  an  unqualified  opinion,  the  auditor  concludes  that  the  principal  statements  and 
accompanying  notes  present  fairly,  in  all  material  respects,  the  assets,  liabilities,  and  net 
position  of  the  entity  at  the  end  of  the  period,  and  the  net  costs,  changes  in  net  position, 
budgetary  resources,  and  reconciliation  of  net  costs  with  budgetary  obligations  for  the 
period  then  ended. 
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Through  the  rigors  of  the  financial  statement  audit  process  and  the 
requirements  of  FFMIA,  agencies  have  gained  a  better  understanding  of 
their  financial  management  weaknesses  and  the  impetus  to  resolve 
problems  caused  by  those  weaknesses.  At  the  same  time,  agencies  are 
slowly  making  progress  in  addressing  their  problems.  However,  while  an 
increasing  number  of  agencies  are  receiving  “clean”  audit  opinions  on  their 
financial  statements,  the  continued  widespread  noncompliance  with 
FFMIA  shows  that  there  is  still  a  long  way  to  go  to  reach  the  end  game— 
that  is,  having  systems,  processes,  and  controls  that  routinely  generate 
reliable,  useful,  and  timely  information  for  managers  and  other 
decisionmakers. 

As  we  testified  in  June,®  many  of  the  clean  opinions  were  obtained  through 
time-consuming,  ad  hoc  programming  and  analysis  of  data  produced  by 
inadequate  systems  that  are  not  integrated  and  often  require  significant 
adjustments.  Such  time-consuming  procedures,  which  often  represent 
“heroic  efforts,”  prevent  financial  management  staff  from  doing  other 
financial-related  work  such  as  financial  analyses,  which  could  directly 
support  strategic  decision-making  and  ultimately  improve  overall  business 
performance.  In  our  Executive  Guide:  Creating  Value  Through  World-class 
Financial  Management^  we  identified  the  success  factors,  practices,  and 
outcomes  associated  with  world-class  financial  management  efforts.  We 
found  that  many  leading  finance  organizations  have  a  goal  to  reduce  the 
time  spent  on  routine  accounting  activities,  such  as  financial  statement 
preparation,  so  that  financial  management  staff  can  spend  more  time  on 
activities  such  as  business  performance  analysis  or  cost  analysis. 


^Financial  Management:  Agencies  Face  Many  Challenges  in  Meeting  the  Goals  of  the  Federal 
Financial  Management  Improvement  Act  (GAO/T-AIMD'00-178,  June  6,  2000). 

®GAO/AIMD-00-134.  April  2000. 
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As  required  by  FFMIA,  the  19  agencies  that  determined  their  systems  were 
not  in  compliance  during  fiscal  year  1998^  prepared  remediation  plans 
describing  the  actions  they  took  or  plan  to  take  to  overcome  their  problems 
and  bring  their  systems  into  compliance.®  We  reviewed  the  19  remediation 
plans  and  determined  that  while  overall  the  plans  had  improved  slightly 
over  the  fiscal  year  1997  plans,  some  plans  continued  to  lack  specificity. 
The  corrective  actions  in  the  plans  were  not  always  detailed,  target  dates 
were  sometimes  lacking,  and  information  as  to  the  type  and  amount  of 
resources  needed  to  implement  the  corrective  actions  was  not  included  in 
several  of  the  plans  we  reviewed. 

The  role  of  advisor  established  by  FFMIA  for  the  Office  of  Management  and 
Budget  (0MB),  with  respect  to  agency  remediation  plans,  is  important  for 
ensuring  that  agencies  prepare  effective  remediation  plans  that  adequately 
address  their  serious  financial  management  weaknesses.  To  support  that 
effort,  and  because  of  the  inadequacies  we  identified  last  year  in  agencies’ 
fiscal  year  1997  remediation  plans,  we  reconunended  that  0MB  review 
agencies’  plans  for  (1)  detailed  corrective  actions  that  fully  address 
reported  problems,  (2)  inclusion  of  resource  requirements,  and  (3)  specific 
time  frames  needed  to  implement  and  resolve  problems.  0MB  officials  told 
us  they  have  adopted  a  new  approach  for  reviewing  agencies’  remediation 
plans,  which  is  part  of  a  comprehensive  strategy  for  improving  federal 
financial  management.  The  new  approach  includes  meetings  with  agency 
officials  to  discuss  integrating  the  agency’s  plans  for  overhauling  or 
replacing  financial  management  systems  with  the  agency’s  information 
technology  capital  planning  processes.  0MB  has  started  meeting  with 
agency  officials;  however,  because  this  approach  is  new,  we  cannot 
comment  on  whether  it  will  be  successful  in  improving  agencies’ 
remediation  plans  and  thus  improving  financial  management  in  general. 


^Auditors  for  21  of  the  24  CFO  Act  agencies  reported  that  the  agencies’  systems  did  not 
substantially  comply  with  FFMIA  in  fiscal  year  1998.  Two  agencies  did  not  submit 
remediation  plans  for  fiscal  year  1998  because  agency  management  determined  that  their 
systems  were  in  substantial  compliance  with  FFMIA.  While  agency  management 
acknowledged  that  the  weaknesses  identified  by  the  auditors  existed,  they  did  not  agree 
that  the  weaknesses  resulted  in  lack  of  “substantial”  compliance. 

“Fiscal  year  1998  remediation  plans,  addressing  instances  of  noncompliance  with  FFMIA 
identified  in  financial  statement  audits  covering  fiscal  year  1998,  were  due  to  the  Office  of 
Management  and  Budget  (0MB)  in  October  1999.  Remediation  plans  covering  fiscal  year 
1999  instances  of  noncompliance  are  due  to  0MB  in  December  2000. 
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We  also  recommended  last  year  that  0MB  work  with  the  agencies  to  ensure 
that  the  agencies’  financial  statements  are  audited  and  issued  by  the 
March  1  statutory  deadline.  Officials  from  0MB,  GAO,  and  the  Department 
of  the  Treasury  met  with  agencies  to  discuss,  among  other  things,  the 
timely  preparation  and  audit  of  the  agency  financial  statements.  In 
addition,  in  large  part  due  to  the  “heroic  efforts”  by  many  agencies,  the 
number  of  agencies  issuing  their  audited  financial  statements  after  March  1 
decreased  from  11  for  fiscal  year  1997  to  5  for  fiscal  year  1999.  Having  to 
perform  such  “heroic  efforts”  in  order  to  issue  financial  statements  by  the 
statutory  deadline  indicates  the  need  for  continued  0MB  attention. 

Bringing  financial  management  systems  into  compliance  with  the 
requirements  of  FFMIA  is  a  formidable  challenge.  Identifying  the 
appropriate  corrective  actions  for  inclusion  in  agencies’  remediation  plans 
is  just  the  first  step  toward  that  goal.  Typically,  the  systems  needs  are 
complex  and  accordingly  require  well-considered  and  sophisticated  efforts 
to  implement.  We  have  issued  guidance  to  help  agencies  with  such  efforts, 
including  guidance  on  making  information  technology  investment 
decisions  and  improving  information  security  management.  Also,  in  order 
to  aid  in  the  selection  of  functional  and  cost-effective  applications,  the 
Joint  Financial  Management  Improvement  Program  (JFMIP)^  tests 
commercial  off-the-shelf  software  for  compliance  with  the  current  systems 
requirements.  FFMIA  compliance  guidance  is  also  contained  in  an 
exposure  draft  of  a  guide  issued  by  JFMIP  and  the  CFO  Council  and  in 
checklists  that  we  have  published.  And,  finally,  lessons  learned  from  the 
government’s  successful  Year  2000  efforts,  including  the  importance  of 
providing  top  management  involvement  and  high-level  leadership,  can  be 
applied  to  efforts  to  help  improve  agencies’  financial  management  systems 
so  that  they  can  produce  the  reliable,  useful,  and  timely  information  needed 
by  management  and  other  decisionmakers. 

In  commenting  on  a  draft  of  this  report,  0MB  expressed  concerns 
regarding  the  seemingly  “all  or  nothing”  assessments  of  FFMIA 
compliance.  Under  OMB’s  current  implementing  guidance,  agencies’ 


^JFMIP  is  a  cooperative  undertaking  of  0MB,  the  Department  of  the  Treasury,  the  Office  of 
Personnel  Management  (0PM),  and  GAO  working  with  operating  agencies  to  improve 
Hnancial  management  practices  throughout  the  government.  The  program  was  initiated  in 
1948  by  the  Secretary  of  the  Treasury,  the  Director  of  the  Bureau  of  the  Budget  (now  0MB), 
and  the  Comptroller  General  and  was  given  statutory  authorization  in  the  Budget  and 
Accounting  Procedures  Act  of  1950.  The  Civil  Service  Commission,  now  0PM,  joined  JFMIP 
in  1966. 
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systems  are  determined  to  either  have  substantially  complied  or  not, 
without  distinctions  as  to  progress  toward  that  goal.  Also,  0MB 
commented  that  the  report  was  negative  and  did  not  give  any  credit  for 
either  progress  made  by  agencies  or  current  improvement  efforts 
underway.  We  agree  that  it  is  important  to  measure  progress  toward 
achieving  compliance  with  FFMIA  to  demonstrate  that  agencies’  systems 
are  moving  steadily  toward  compliance  with  FFMIAs  requirements.  Our 
work,  as  well  as  that  performed  or  directed  by  agency  Inspectors  General 
(IG)  shows  that  agencies  are  making  an  effort,  and  we  acknowledge  that  in 
the  report.  However,  attaining  the  end  goal  of  having  reliable  data  on 
demand  for  day-to-day  decision-making  is  a  distant  goal  for  many  agencies. 
We  plan  to  work  with  0MB  as  it  contemplates  various  approaches  to 
measuring  and  reporting  progress  in  achieving  compliance  with  FFMIA. 

0MB  also  expressed  concerns  about  the  applicability  of  information 
security  requirements  to  certain  systems  in  assessing  compliance  with 
FFMIA.  OMB’s  view  is  that  for  purposes  of  reviewing  compliance  with 
FFMIA,  information  security  controls  should  only  be  considered  for 
financial  systems  under  the  purview  of  the  agency  CFO,  and  not  for  mixed 
or  enterprise  systems,  which  0MB  states  must  be  addressed  on  an 
agencywide  level.  However,  to  the  extent  that  financial  and  non-flnancial 
portions  of  mixed  systems  cannot  be  separated  for  purposes  of  information 
security  controls,  the  mixed  systems  in  their  entirety  are  subject  to  FFMIA. 
Further,  the  applicability  of  FFMIA  is  not  limited  to  systems  within  the 
influence  of  the  agency  CFO.  Rather,  FFMIA  refers  only  to  agency  systems 
and  vests  ultimate  responsibility  in  the  agency  head  for  determining 
whether  agency  systems  comply  with  FFMIA  requirements.  Therefore, 
information  security  controls  for  not  only  financial  systems,  but  also  mixed 
systems  in  their  entirety  should  be  included  in  FFMIA  reviews. 


Background 


FFMIA  and  other  financial  management  reform  legislation,  most  notably 
the  CFO  Act,  have  underscored  the  importance  of  improving  financial 
management  across  the  federal  government.  The  primary  purpose  of 
FFMIA  is  to  ensure  that  agency  financial  management  systems  routinely 
provide  reliable,  useful,  and  timely  financial  information.  With  such 
information,  government  leaders  will  be  better  positioned  to  invest 
resources,  reduce  costs,  oversee  programs,  and  hold  agency  managers 
accountable  for  the  way  they  run  government  programs.  Financial 
management  systems’  compliance  with  federal  financial  management 
systems  requirements,  applicable  accounting  standards,  and  the  SGL  are 
the  building  blocks  to  help  achieve  these  goals. 
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Management  Reform  FFMIA  is  part  of  a  series  of  management  reform  legislation  passed  by  the 

Framework  Congress  over  the  past  two  decades.  This  series  of  legislation  started  with 

the  Federal  Managers’  Financial  Integrity  Act  of  1982  (Financial  Integrity 
Act),  which  the  Congress  passed  to  strengthen  internal  control  and 
accounting  systems  throughout  the  federal  government,  among  other 
purposes.  However,  as  we  reported  in  1989,'®  7  years  after  the  Financial 
Integrity  Act  was  passed,  while  agencies  had  achieved  some  success  in 
identifying  and  correcting  material  internal  control  cmd  accounting  system 
weaknesses,  their  efforts  to  implement  the  Financial  Integrity  Act  had  not 
produced  the  results  intended  by  the  Congress.  At  that  time,  we  also 
reported  that  the  government  did  not  have  the  internal  control  systems 
necessary  to  effectively  operate  its  programs  and  safeguard  its  assets  and 
that  its  accounting  systems  were  antiquated  and  second-rate. 

So,  in  the  1990s,  the  Congress  passed  additional  management  reform 
legislation  to  improve  the  general  and  financial  management  of  the  federal 
government.  The  combination  of  reforms  ushered  in  by  (1)  the  CFO  Act  of 
1990,  (2)  the  Government  Management  and  Reform  Act  of  1994,  (3)  FFMIA, 
(4)  the  Government  Performance  and  Results  Act  of  1993,  and  (5)  the 
Clinger-Cohen  Act  of  1996,  if  successfully  implemented,  provides  a  basis 
for  improving  accountability  over  government  operations  and  routinely 
producing  sound  cost  and  operating  performance  information,  thereby 
making  it  possible  to  better  assess  and  improve  the  government’s  financial 
condition  and  operating  performance.  In  addition,  in  November  1999  we 
updated  our  Standards  for  Internal  Control  in  the  Federal  Government, 
which  is  issued  pursuant  to  the  Financial  Integrity  Act  to  help  agency 
managers  implement  effective  internal  control,  an  integral  part  of 
improving  financial  management  systems. 


Financial  Management 
Systems  Requirements 


The  financial  management  systems  policies  and  standards  prescribed  for 
executive  agencies  to  follow  in  developing,  operating,  evaluating,  and 
reporting  on  financial  management  systems  are  defined  in  0MB  Circular  A- 
127,  Financial  Management  Systems.  Circular  A-127  references  the  series  of 
publications,  entitled  Federal  Financial  Management  Systems 
Requirements  (FFMSR),  issued  by  JFMIP  as  the  primary  source  of 


"‘Financial  Integrity  Act:  Inadequate  Controls  Result  in  Ineffective  Federal  Programs  and 
Billions  in  Losses  (GAO/AFMD-90-10,  November  28, 1989). 

"GAO/AIMD-00-21.3.1.  November  1999. 
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governmentwide  requirements  for  financial  management  systems.  JFMIP 
systems  requirements,  among  other  things,  provide  a  framework  for 
establishing  integrated  financial  management  systems  to  support  program 
and  financial  managers.  These  requirements  documents  were  first  issued  in 
the  early  1990s,  and  several  have  been  updated  since  then.  Table  1  lists  the 
current  publications  in  the  FFMSR  series  and  their  issue  dates. 


Table  1:  Publications  in  the  Federal  Financial  Management  System  Requirements  Series 

FFMSR  document 

Issue  date 

FFMSR-0 

Framework  for  Federal  Financial  Management  Systems 

January  1995 

FFMSR-7 

inventory  System  Requirements 

June  1995 

FFMSR-8 

Managerial  Cost  Accounting  System  Requirements 

February  1998 

JFMIP-SR-99-4 

Core  Financial  System  Requirements 

February  1999 

JFMlP-SR-99-5 

Human  Resources  &  Payroll  Systems  Requirements 

April  1999 

JFMIP-SR-99-8 

Direct  Loan  System  Requirements 

June  1999 

JFMlP-SR-99-9 

Travel  System  Requirements 

July  1999 

JFMIP-SR-99-14 

Seized  Property  and  Forfeited  Asset  Systems  Requirements 

December  1999 

JFMIP-SR-00-01 

Guaranteed  Loan  System  Requirements 

March  2000 

JFMIP-SR-00-3 

Grant  Financial  System  Requirements 

June  2000 

JFMIP  is  also  developing  systems  requirements  where  none  previously 
existed.  JFMIP  issued  an  exposure  draft  on  Property  Management  System 
Requirements  in  April  2000.  A  large  number  of  responses  and  comments 
were  received,  and  as  a  result,  a  second  exposure  draft  was  issued  in  July 
2000.  Also,  efforts  are  underway  to  develop  system  requirements 
documents  for  benefit  programs  and  acquisition  systems. 
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Federal  Accounting 
Standards 


Federal  accounting  standards,  which  agency  CFOs  use  in  preparing 
financial  statements  and  in  developing  financial  management  systems,  are 
developed  by  the  Federal  Accounting  Standards  Advisory  Board 
(FASAB).*^  FASAB  develops  accounting  standards  after  considering  the 
financial  and  budgetary  information  needs  of  the  Congress,  executive 
agencies,  and  other  users  of  federal  financial  information  and  comments 
from  the  public.  FASAB  forwards  the  standards  to  the  three  principals — the 
Comptroller  General  of  the  United  States  (Comptroller  General),  the 
Secretary  of  the  Treasury,  and  the  Director  of  0MB — for  a  90-day  review.  If 
there  are  no  objections  during  the  review  period,  the  standards  are 
considered  final  and  FASAB  publishes  them  on  its  Web  site  and  in  print. 

The  American  Institute  of  Certified  Public  Accountants  now  recognizes  the 
federal  accounting  standards  developed  by  FASAB  as  being  generally 
accepted  accounting  principles  for  the  federal  government.  This 
recognition  enhances  the  acceptability  of  the  standards,  which  form  the 
foundation  for  preparing  consistent  and  meaningful  financial  statements 
both  for  individual  agencies  and  the  government  as  a  whole. 

Currently,  there  are  18  statements  of  federal  financial  accounting  standards 
(SFFAS)  and  3  statements  of  federal  financial  accounting  concepts 
(SFFAC).’^  The  concepts  and  standards  are  the  basis  for  OMB’s  guidance  to 
agencies  on  the  form  and  content  of  their  financial  statements  and  the 
government’s  consolidated  financial  statements.  Table  2  lists  the  concepts, 
standards,  and  interpretations'^  along  with  their  respective  effective  dates. 


‘^In  October  1990,  the  Secretary  of  the  Treasury,  the  Director  of  0MB,  and  the  Comptroller 
General  established  FASAB  to  recommend  a  set  of  generally  accepted  accounting  standards 
for  the  federal  government. 

^^Accounting  standards  are  authoritative  statements  of  how  particular  types  of  transactions 
and  other  events  should  be  reflected  in  financial  statements.  SFFACs  explain  the  objectives 
and  ideas  upon  which  FASAB  develops  the  standards. 

‘^Occasionally,  FASAB  clarifies  existing  federal  accounting  standards  by  providing 
interpretations.  An  interpretation  is  a  document  of  narrow  scope  that  provides  clarifications 
of  original  meaning,  additional  definitions,  or  other  guidance  pertaining  to  an  existing 
federS  accounting  standard. 
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Table  2:  Statements  of  Federal  Financial  Accounting  Concepts,  Statements  of  Federal  Financial  Accounting  Standards,  and 

Interpretations 

Concepts 

SFFAC  No.  1  Objectives  of  Federal  Financial  Reporting 

SFFAC  No.  2  Entity  and  Display 

SFFAC  No.  3  Management’s  Discussion  and  Analysis 

Effective  for 

Standards 

fiscal  year^ 

SFFAS  No.  1  Accounting  for  Selected  Assets  and  Liabilities 

1994 

SFFAS  No.  2  Accounting  for  Direct  Loans  and  Loan  Guarantees 

1994 

SFFAS  No.  3  Accounting  for  Inventory  and  Related  Property 

1994 

SFFAS  No.  4  Managerial  Cost  Accounting  Concepts  and  Standards 

1998 

SFFAS  No.  5  Accounting  for  Liabilities  of  the  Federal  Government 

1997 

SFFAS  No.  6  Accounting  for  Property,  Plant,  and  Equipment 

1998 

SFFAS  No.  7  Accounting  for  Revenue  and  Other  Financing  Sources 

1998 

SFFAS  No.  8  Supplementary  Stewardship  Reporting 

1998 

SFFAS  No.  9  Deferral  of  the  Effective  Date  of  Managerial  Cost  Accounting  Standards  for  the  Federal  Government  in 
SFFAS  No.  4 

1998 

SFFAS  No.  10  Accounting  for  Internal  Use  Software 

2001 

SFFAS  No.  11  Amendments  to  Accounting  for  Property,  Plant,  and  Equipment— Definitional  Changes 

1999 

SFFAS  No.  12  Recognition  of  Contingent  Liabilities  Arising  from  Litigation:  An  Amendment  of  SFFAS  No.  5, 

Accounting  for  Liabilities  of  the  Federal  Government 

1998 

SFFAS  No.  13  Deferral  of  Paragraph  65-2— Material  Revenue-Related  Transactions  Disclosures 

1999 

SFFAS  No.  14  Amendments  to  Deferred  Maintenance  Reporting 

1999 

SFFAS  No.  15  Management’s  Discussion  and  Analysis 

SFFAS  No.  16  Amendments  to  Accounting  for  Property,  Plant,  and  Equipment 

2000 

SFFAS  No.  17  Accounting  for  Social  Insurance 

SFFAS  No.  18  Amendments  to  Accounting  Standards  for  Direct  Loans  and  Loan  Guarantees  in  SFFAS  No.  2 

2001 

Interpretations 

No.  1  Reporting  on  Indian  Trust  Funds 

No.  2  Accounting  for  Treasury  Judgment  Fund  Transactions 

No.  3  Measurement  Date  for  Pension  and  Retirement  Health  Care  Liabilities 

No.  4  Accounting  for  Pension  Payments  in  Excess  of  Pension  Expense 

No.  5  Recognition  by  Recipient  Entities  of  Receivable  Nonexchange  Revenue 

^Effective  dates  do  not  apply  to  Statements  of  Federal  Financial  Accounting  Concepts  and 
Interpretations. 
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FASAB’s  Accounting  and  Auditing  Policy  Committee  (AAPC)'®  assists  in 
resolving  issues  related  to  the  implementation  of  accounting  standards. 
AAPC’s  efforts  result  in  guidance  for  preparers  and  auditors  of  federal 
financial  statements  in  connection  with  implementation  of  accounting 
standards  and  the  reporting  and  auditing  requirements  contained  in  OMB’s 
Form  and  Content  Bulletin  and  Audit  Bulletin.  To  date,  AAPC  has  released 
four  technical  releases  (TR),  which  are  listed  in  table  3  along  with  their 
release  dates. 


Table  3:  AAPC  Technical  Releases 

Technical  release 

AAPC  release 
date 

TR-1  Audit  Legal  Letter  Guidance 

March  1, 1998 

TR~2  Environmental  Liabilities  Guidance 

March  15,  1998 

TR-3  Preparing  and  Auditing  Direct  Loan  and  Loan  Guarantee 
Subsidies  under  the  Federal  Credit  Reform  Act 

July  31, 1999 

TR-4  Reporting  on  Non-Valued  Seized  and  Forfeited  Property 

July  31, 1999 

Standard  General  Ledger  The  SGL  was  established  by  an  interagency  task  force  through  the  direction 

of  0MB  and  mandated  for  use  by  0MB  and  Treasury  regulations  in  1986. 
The  SGL  promotes  consistency  in  financial  transaction  processing  and 
reporting  by  providing  a  uniform  chart  of  accounts  and  pro  forma 
transactions  used  to  standardize  federal  agencies’  financial  information 
accumulation  and  processing,  enhance  financial  control,  and  support 
budget  and  external  reporting,  including  financial  statement  preparation. 
The  SGL  is  intended  to  improve  data  stewardship  throughout  the 
government,  enabling  consistent  reporting  at  all  levels  within  the  agencies 
and  providing  comparable  data  and  financial  analysis  at  the 
governmentwide  level.*® 


'®In  1997,  FASAB,  in  conjunction  with  0MB,  Treasury,  GAO,  the  CFO  Council,  and  the 
President’s  Council  on  Integrity  and  Efficiency,  established  AAPC  to  assist  the  federal 
government  in  improving  financial  reporting. 

‘®SGL  guidance  is  published  in  the  Treasury  Financial  Manual.  Treasury’s  Financial 
Management  Service  is  responsible  for  maintaining  the  SGL  and  answering  agency  inquiries. 
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Remediation  Plans 


FFMIA  requires  cin  agency  head  to  determine,  based  on  a  review  of  the 
auditor’s  report  on  the  agency’s  financial  statements  and  any  other  relevant 
information,  whether  the  agency’s  financial  management  systems 
substantially  comply  with  the  act.  The  agency  head  is  required  to  make  this 
determination  no  later  than  120  days  after  (1)  the  receipt  of  the  auditor’s 
report  or  (2)  the  last  day  of  the  fiscal  year  following  the  year  covered  by  the 
audit,  whichever  comes  first.  If  the  agency  head  disagrees  with  the 
auditor’s  determination  that  the  systems  do  not  substantially  comply,  the 
Director  of  0MB  is  to  review  the  agency  head’s  determination  and  report  to 
the  Congress.  If  the  agency  head  agrees  that  the  systems  do  not 
substantially  comply,  FFMIA  requires  that  the  agency  head,  in  consultation 
with  the  Director  of  0MB,  establish  a  remediation  plan  to  bring  the  systems 
into  substantial  compliance  with  FFMIA’s  requirements. 

According  to  FFMIA,  remediation  plans  are  to  include  corrective  actions, 
intermediate  target  dates,  and  resources  necessary  to  bring  the  financial 
management  systems  into  substantial  compliance  with  FFMIA’s 
requirements  within  3  years  of  the  date  the  agency  head’s  noncompliance 
determination  is  made.  If,  with  the  concurrence  of  the  Director  of  0MB,  the 
agency  head  determines  that  substantial  compliance  cannot  be  reached 
within  3  years,  the  remediation  plan  must  specify  the  most  feasible  date  by 
which  the  agency’s  systems  will  achieve  compliance  and  designate  an 
official  responsible  for  effecting  the  necessary  corrective  actions. 

In  accordance  with  0MB  guidance  contained  in  Circular  A-11,  Preparing 
and  Submitting  Budget  Estimates,  effective  July  12, 1999,  agencies  are  to 
include  their  remediation  plans  in  their  annual  budget  submissions  due  to 
0MB  in  October.  The  guidance  requires  that  the  plans  include  corrective 
actions,  resources  needed,  and  interim  target  dates  to  bring  the  financial 
management  systems  into  substantial  compliance  within  3  years  of  the  date 
of  the  agencies’  determination  that  their  systems  are  not  in  substantial 
compliance.*^ 


"The  most  current  revision  of  Circular  A-11,  effective  July  19, 2000,  requires  that  in  addition 
to  corrective  actions,  resources,  and  target  dates,  agencies  also  identify  responsible  officials 
in  their  remediation  plans.  The  guidance  changes  the  due  date  for  budget  submission 
documents  due  in  2000  to  December  rather  than  October  because  of  the  presidential 
transition. 
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Scope  and 
Methodology 


We  reviewed  fiscal  year  1999  audit  reports  for  the  24  CFO  Act  agencies  to 
determine  (1)  which  agencies  had  systems  that  their  auditors  found  to  be 
noncompliant  with  FFMIAs  requirements,  (2)  reasons  why  the  systems 
were  found  to  be  noncompliant,  and  (3)  whether  the  audit  reports  were 
issued  by  the  March  1  statutory  deadline.  Our  review  included  determining 
where  “heroic  efforts”  were  used  to  meet  the  deadline.  We  interviewed 
agency  management  and  auditors  at  several  CFO  Act  agencies  to  obtain 
their  views  on  FFMIA  implementation,  including  what  factors  management 
considered  in  determining  whether  their  agencies’  systems  complied. 

We  reviewed  OMB’s  guidance  for  FFMIA  and  interviewed  0MB  officials 
responsible  for  FFMIA  issues.  Specifically,  we  reviewed  the  guidance  for 
preparing  remediation  plans  for  fiscal  year  1998  contained  in  0MB  Circular 
A-11,  Preparing  and  Submitting  Budget  Estimates.  We  reviewed  agencies’ 
fiscal  year  1998  remediation  plans  to  determine  if  they  contained  the 
required  elements  and  if  the  corrective  actions  in  the  plans  would  resolve 
agencies’  systems  problems.  Fiscal  year  1999  remediation  plans  are  not  due 
to  0MB,  and  therefore  will  not  be  available,  until  December  2000.  We 
compared  the  fiscal  year  1998  remediation  plans  to  those  for  fiscal  year 
1997  to  determine  if  they  had  improved.  We  interviewed  0MB  officials  and 
staff  to  determine  what  actions  0MB  has  taken  regarding  agencies’ 
remediation  plans.  We  also  reviewed  a  draft  of  the  revised  guidance  in  0MB 
Bulletin  98-08,  Audit  Requirements  for  Federal  Financial  Statements. 

We  reviewed  applicable  federal  accounting  standards  and  systems 
requirements  documents.  We  made  inquiries  of  FASAB  and  JFMIP  staff  to 
determine  recent  developments  in  their  respective  efforts  to  develop 
accounting  standards  and  issue  new  systems  requirements  documents. 

We  conducted  our  work  from  February  through  August  2000  at  the  24  CFO 
Act  agencies  and  0MB  in  Washington,  D.C„  in  accordance  with  generally 
accepted  government  auditing  standards.  We  requested  comments  on  a 
draft  of  this  report  from  the  Director  of  0MB  or  his  designee.  The  Deputy 
Controller  of  0MB  provided  us  with  written  comments.  These  comments 
are  discussed  in  the  “Agency  Comments  and  Our  Evaluation”  section  and 
are  reprinted  in  appendix  I. 
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Fiscal  Year  1999  Audit 
Results  Indicate 
Progress  But  Serious 
Problems  Remain 


Agencies  have  a  better  understanding  of  their  financial  management 
weaknesses  and  are  slowly  making  progress  in  addressing  their  problems. 
However,  while  an  increasing  number  of  agencies  are  issuing  their  audited 
financial  statements  on  time  and  receiving  unqualified  (clean)  audit 
opinions,  financial  management  systems  of  the  vast  majority  of  CFO  Act 
agencies  do  not  yet  comply  with  FFMIAs  requirements  and,  therefore,  fall 
short  of  the  CFO  Act  and  FFMIA  goal  to  provide  reliable,  useful,  and  timely 
information  to  assist  in  day-to-day  management.  This  continuing 
widespread  noncompliance  with  FFMIA  is  indicative  of  the  overall  long¬ 
standing  poor  condition  of  agency  financial  systems. 


Auditors  for  21  of  the  24  CFO  Act  agencies  reported  that  for  fiscal  year 
1999,  the  agencies’  systems  still  did  not  comply  substantially  with  federal 
financial  systems  requirements,  federal  accounting  standards,  or  the  SGL.^® 
Auditors  for  three  agencies — the  Department  of  Energy,^®  the  National 
Aeronautics  and  Space  Administration,  and  the  National  Science 
Foundation — reported  the  agencies’  systems  to  be  in  substantial 
compliance.  These  FFMIA  compliance  results  were  similar  to  those  for 
fiscal  years  1997  and  1998. 


’^Management  of  3  of  the  21  agencies — the  Federal  Emergency  Management  Agency,  the 
Social  Security  Administration,  and  the  Office  of  Personnel  Management  (0PM) — disagreed 
with  their  auditors’  determinations  that  their  agencies’  systems  did  not  comply  substantially 
with  FFMIA’s  requirements.  Management  of  these  three  agencies  acknowledged  that  the 
weaknesses  identified  by  the  auditors  exist  but  did  not  agree  that  the  weaknesses  caused 
“substantial  noncompliance.  ”  (In  the  case  of  0PM,  management  determined  that  the 
systems  for  the  Retirement,  Health  Benefits  Insurance,  and  Life  Insurance  programs  did 
comply  substantially  with  FFMIA.  For  the  Revolving  Fund  and  Salaries  and  Expenses,  0PM 
management  agreed  with  its  auditors  that  the  systems  did  not  comply  substantially  with 
FFMIA.) 

’^According  to  0MB  guidance  in  0MB  Bulletin  98-08,  material  weaknesses  in  internal 
controls  that  affect  an  agency’s  ability  to  prepare  auditable  financial  statements  and  related 
disclosures  are  an  indication  of  noncompliance  with  FFMIA.  In  its  fiscal  year  1999  Report 
on  Internal  Controls,  the  Department  of  Energy’s  IG  reported  a  material  weakness  related  to 
the  Western  Area  Power  Administration’s  new  financi^  management  system.  The  report 
states,  “While  the  Department’s  systems  as  a  whole  substantidly  comply  with  FFMIA,  the 
new  financial  management  system  implemented  by  Western  was  not  in  compliance  with  the 
FFMIA  requirements  as  of  September  30, 1999. . . .  Thus,  Western  was  unable  to  adequately 
track  and  report  on  budget  execution  and  meet  external  reporting  requirements,  including 
preparation  of  financial  statements.” 
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Fifteen  of  the  24  CFO  Act  agencies  received  unqualified  audit  opinions  on 
their  financial  statements  for  fiscal  year  1999,  up  from  12  in  fiscal  year  1998 
and  1 1  in  fiscal  year  1997.  Yet,  FFMIA  noncompliance  has  been  fairly 
consistent  since  fiscal  year  1997  when  the  systems  of  20  of  the  24  CFO  Act 
agencies  were  reported  to  be  noncompliant.^  Auditors  for  12  of  the  15 
agencies  that  received  unqualified  opinions  reported  that  the  agencies’ 
financial  systems  did  not  comply  substantially  with  FFMIA’s  requirements 
in  fiscal  year  1999.  In  many  cases,  these  agencies  spent  considerable 
resources  and  often  performed  “heroic  efforts”  to  obtain  a  clean  opinion 
because  their  financial  statements  could  not  be  produced  from  their 
financial  systems. 

Not  only  has  the  number  of  clean  opinions  increased,  the  number  of 
agencies  issuing  their  audited  financial  statements  on  time  has  also 
increased.  To  emphasize  the  importance  of  timely  preparation  and  audit  of 
agency  financial  statements,  officials  from  0MB,  GAO,  and  the  Department 
of  the  Treasury  held  meetings  with  cognizant  agency  officials.  For  fiscal 
year  1999,  5  of  the  24  CFO  Act  agencies  issued  their  audited  statements 
after  the  statutory  due  date  of  March  1,  compared  to  fiscal  year  1997,  when 
1 1  agencies  were  late  issuing  their  audited  financial  statements.  However, 
as  was  the  case  in  obtaining  clean  opinions,  many  agencies  relied  on 
“heroic  efforts”  just  to  meet  the  statutory  due  date.  Having  to  perform  such 
efforts  indicates  the  need  for  continued  0MB  attention. 

Table  4  summarizes  the  auditors’  FFMIA  determinations  and  financial 
statement  opinions  for  fiscal  year  1999  and  highlights  the  12  agencies  that 
received  clean  audit  opinions  despite  their  systems  problems. 


“In  fiscal  year  1998,  the  systems  of  21  of  the  24  CFO  Act  agencies  were  reported  to  be 
noncompliant. 
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Table  4;  Auditors’  FFMIA  Determinations  and  Financial  Statement  Opinions  for  Fiscal  Year  1999 


Auditors’ 


determination  of 

substantial  Areas  of  reported  substantial 

compliance  noncompliance  Audit  opinion 


Agency 

Yes 

No 

Systems 

requirements 

Accounting 

standards 

SQL 

Unqualified 

Qualified 

Disclaimer 

Department  of 
Agriculture 

V 

V 

V 

V 

V 

1;  Department  of"  ^  .  I 

Commerce  ^  1 

ili 

V 

V 

Department  of 

Defense 

V 

V 

V 

V 

Department  of 
Education 

V 

V 

a 

Department  of  Energy 

V 

r  Depai^^nt  of 
f  and  Humaft  SeiYices^  ^ 

■/ 

N 

& 

Department  of 

Housing  and  Urban 
Development 

V 

V 

V 

V 

V 

Department  of  the 

1  Interidr 

V 

V 

Department  of  Justice 

V 

V 

V 

V 

V 

’  Department  of  tabor  r 

V 

V 

V 

IMiii 

4ll 

Department  of  State /  r 

■  V 

SilBi 

^  Department  of 
,  Transportation 

r 

gill 

V 

V 

V 

'f  t  S''i  " 

Department  of  the 
Treasury 

V 

V 

V 

V 

V 

1  pepartmerit 
iVfeterans  AffeirsJ 

f 

;v 

V 

V 

fiifWi 

s 

Agency  for 

International 

Development 

V 

V 

V 

V 

V 

Environmental 
Protection  Agency 

V 

V 

V 

V 

V 

iVFedefml  Emergency^' V  . 
0!anagen[i^:Agenpy'?;^  1 

'  V 

iwa- 

^General  Services;  i 

Administration  : ; 

fV"'  ■ 

w 

illli 

;| 
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(Continued  From  Previous  Page) 

Auditors’ 
determination  of 
substantiai 
compliance 

Areas  of  reported  substantial 
noncompliance 

Audit  opinion 

Agency 

Yes  No 

Systems  Accounting 

requirements  standards 

SGL 

Unqualified 

Qualified 

Disclaimer 

National  Aeronautics 
and  Space 
Administration 

V 

V 

National  Science 
Foundation 

V 

V 

,  Nuclear  Regulatory 
Commission 

V 

V 

V 

Office  of  Personnel 
Management 

V 

V 

V 

b 

Small  Business  ^ 

^  Administration  ! ^ 

I  iilli 

V 

V 

V 

::  Social  Security  ;  ’ 

'Administration 

i  j; 

V 

Total 

3  21 

21 

15 

14 

15 

4 

5 

=  Auditors  gave  the  agency’s  financial  statements  an  unqualified  audit  opinion,  but  reported  that  the 
agency’s  systems  did  not  comply  substantially  with  FFMIA’s  requirements. 


Note:  Management  of  21  of  the  24  agencies  agreed  with  their  auditors’  FFMIA  compliance  determinations. 

Management  of  the  remaining  three  agencies— the  Federal  Management  Emergency  Agency,  the  Social  Security 
Administration,  and  the  Office  of  Personnel  Management— did  not  agree  that  their  systems  were  not  in  substantial 
compliance.  See  footnote  18. 

^Education  received  a  disclaimer  of  opinion  on  its  Statement  of  Financing  and  qualified  opinions  on  its  other  financial 
statements. 

^The  Office  of  Personnel  Management  (0PM)  does  not  prepare  agencywide  financial  statements.  For  fiscal  year 
1999,  0PM  received  disclaimers  of  opinion  on  its  financial  statements  for  Revolving  Fund  and  Salaries  and  Expenses 
and  unqualified  opinions  on  the  financial  statements  for  the  Retirement,  Health  Benefits  Insurance,  and  Life 
Insurance  Programs. 

Source:  GAO  analysis  of  agency  audit  reports  for  fiscal  year  1 999. 

Financial  statement  audit  results  are  key  indicators  of  the  quality  of  agency 
financial  data  at  year-end  and  provide  an  annual  public  scorecard  on 
accountability.  Agencies  are  to  be  commended  for  receiving  unqualified 
audit  opinions.  At  the  same  time,  a  clean  audit  opinion  is  not  an  end  in 
itself.  A  clean  audit  opinion  indicates  to  financial  statement  users  only  that 
the  information  is  fairly  presented  as  of  the  date  of  the  financial 
statements — the  last  day  of  the  fiscal  year.  However,  financial  statement 
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users  generally  do  not  get  this  information  until  5  months  after  the  close  of 
the  fiscal  year — around  March  1,  the  statutory  deadline — which  is  when 
most  agencies  issue  their  financial  statements.  As  illustrated  below,  this 
time  lag  often  results  from  the  numerous  adjustments  and  other  “heroic 
efforts”  needed  to  prepare  these  statements.  Although  a  clean  opinion 
indicates  that  year-end  financial  information  is  fairly  presented,  it  provides 
no  assurance  about  the  effectiveness  and  efficiency  of  financial  systems 
used  to  prepare  the  statements  or  whether  use  of  the  same  or  other 
information  generated  by  the  financial  systems  for  management  use 
throughout  the  year  would  be  appropriate.  The  results  shown  in  table  4 
indicate  that  although  auditors  reported  that  the  financial  statements  of  15 
of  the  24  CFO  Act  agencies  were  fairly  presented  and  reliable  at  the  end  of 
the  fiscal  year,  as  we  discuss  later  in  this  report,  the  financial  systems  of  21 
of  the  24  agencies  have  weaknesses,  some  of  which  are  so  serious  that  they 
are  not  able  to  routinely  provide  reliable,  useful,  and  timely  information  on 
an  ongoing  basis. 

In  order  to  receive  an  unqualified  opinion,  many  agencies  whose  financial 
management  systems  did  not  comply  with  FFMIA  had  to  rely  on  “heroic 
efforts”  consisting  of  time-consuming,  ad  hoc  programming  and  analysis  of 
data  produced  by  inadequate  systems  that  are  not  integrated  or  routinely 
reconciled  and  often  require  significant  audit  adjustments.  For  example, 
the  Department  of  Transportation  (DOT)  received  its  first  unqualified 
opinion  on  its  fiscal  year  1999  departmentwide  financial  statements. 
However,  like  several  other  agencies,  despite  the  clean  opinion,  DOT’s  IG 
reported  that  DOT’s  systems  did  not  comply  substantially  with  FFMIA.^^ 
dot’s  existing  core  accounting  system — designed  to  be  the  primary  system 
for  producing  financial  information  and  financial  statements — was  not  the 
primary  source  of  information  used  to  prepare  the  financial  statements. 
Because  the  core  system  did  not  provide  the  necessary  data,  DOT  made 
about  800  adjusting  entries  totaling  $36  billion.  Also,  according  to  the  IG, 
the  Federal  Aviation  Administration’s  property  systems  were  not  designed 
as  an  integrated  system  to  accurately  account  for  property  costs. 
Therefore,  DOT  hired  additional  contractors,  detailed  employees,  and  used 
extensive  overtime  and  compensatory  time  to  provide  sufficient  evidence 
to  support  the  amounts  of  property,  plant,  and  equipment  shown  on  its 


Office  of  Inspector  General  Audit  Report,  Fiscal  Year  1999  Consolidated  Financial 
Statements,  Department  of  Transportation,  Report  No.  FE-2000-062,  March  8,  2000, 

Fiscal  Year  1999  Financial  Statements,  Federal  Aviation  Administration,  Report  No.  FE- 
2000-060.  February  29,  2000. 
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financial  statements.  The  IG  reported  that  these  manual  and  labor-intensive 
methods  are  expensive;  prone  to  errors,  mistakes,  and  inaccuracies:  and 
cannot  be  sustained. 

As  we  discuss  below,  one  of  the  main  problems  agencies  face  is  the  lack  of 
an  integrated  financial  management  system.  Having  an  effective,  integrated 
financial  management  system  that  can  produce  financial  statements  in  a 
timely  manner  prevents  the  need  for  time-consuming  and  costly 
procedures.  In  our  Executive  Guide:  Creating  Value  Through  World-class 
Financial  Management,  we  identified  the  success  factors,  practices,  and 
outcomes  associated  with  world-class  financial  management  efforts.  We 
found  that  many  leading  finance  organizations  have  a  goal  to  reduce  the 
time  spent  on  routine  accounting  activities,  such  as  financial  statement 
preparation,  so  that  financial  management  staff  c<m  spend  more  time  on 
activities  such  as  business  performance  analysis  or  cost  analysis. 


RGasons  for  NoncomplianCG  Based  on  our  review  of  fiscal  year  1999  audit  reports  for  the  21  agencies 

whose  financial  management  systems  were  reported  to  be  noncompliant, 
we  identified  five  primary  reasons  cited  by  the  auditors: 

•  nonintegrated  financial  management  systems, 

•  inadequate  reconciliation  procedures, 

•  noncompliance  with  the  SGL, 

•  lack  of  adherence  to  federal  accounting  standards,  and 

•  weak  security  over  information  systems. 

Table  5  shows  the  21  agencies  with  noncompliant  systems  and  the 
problems  relevant  to  FFMIA  that  were  reported  by  their  auditors.^ 
Auditors  reported  these  problems  among  the  weaknesses  identified  during 
the  audits;  however,  the  auditors  may  not  have  reported  the  problems  as 
specific  reasons  for  why  they  concluded  that  the  agencies’  systems  did  not 
comply  with  FFMIA.  Further,  the  weaknesses  reported  by  auditors  ranged 
from  serious,  pervasive  systems  problems  to  less  serious  problems  that 
may  affect  one  aspect  of  an  agency’s  accounting  operation.  We  included  all 
weaknesses  relevant  to  FFMIA  identified  by  the  auditors  because  such 


^^Based  on  further  review  of  agency  audit  reports,  we  have  updated  information  in  this  table, 
which  first  appeared  in  our  June  testimony  on  FFMIA,  Financial  Management:  Agencies 
Face  Many  Challenges  in  Meeting  the  Goa7s  of  the  Federal  Financial  Management 
Improvement  Act  (GAO/T-AIMD-00-178.  June  6,  2000). 
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problems  must  be  resolved  in  order  for  the  agencies’  systems  to  generate 
the  reliable,  useful,  and  timely  information  needed  by  decisionmakers. 

Table  5:  Problems  Reported  by  Auditors  in  Fiscal  Year  1999 

Agency 

Nonintegrated 

financial 

management 

systems 

Inadequate 

reconciliation 

procedures 

Noncompliance  with 
the  SGL 

Lack  of 
adherence  to 
federal 
accounting 
standards 

Weak  security 
over  information 
systems 

Department  of  Agriculture 

1 

V 

V 

a/ 

a/ 

Department  of  Commerce 

1 - 

- 

V 

V 

Department  of  Defense 

1 

V 

a/ 

a/ 

Department  of  Education 

1 

a/ 

a/ 

Department  of  Health  and 
Human  Services 

1 

V 

a/ 

Department  of  Housing  and 
Urban  Development 

- 

V 

a/ 

a/ 

Department  of  the  Interior 

a/ 

a/ 

Department  of  Justice 

- 

a/ 

V 

Department  of  Labor 

- 

- 

V 

a/ 

Department  of  State 

1 - 

V 

a/ 

Department  of  Transportation 

V 

V 

a/ 

a/ 

Department  of  the  Treasury 

1 - 

- 

V 

a/ 

V 

Department  of  Veterans  Affairs 

1 - 

V 

V 

V 

a/ 

Agency  for  International 
Development 

1 - 

V 

V 

a/ 

a/ 

Environmental  Protection 
Agency 

V 

a/ 

a/ 

a/ 

Federal  Emergency 
Management  Agency 

- 

- 

a/ 

General  Services 
Administration 

a/ 

Nuclear  Regulatory 
Commission 

a/ 

a/ 

Office  of  Personnel 
Management 

a/ 

a/ 

Small  Business  Administration 

- 

a/ 

a/ 

V 

Social  Security  Administration 

V 

Totals 

15 

15 

14 

15 

21 

Source:  GAO  analysis  of  agency  audit  reports  for  fiscal  year  1 999.  We  did  not  independently  verify  or 
test  the  data  in  the  agency  audit  reports. 
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Nonintegrated  Financial 
Management  Systems 


To  understand  how  these  weaknesses  affect  agencies*  financial 
management  efforts  and  to  bring  about  any  lasting  improvements,  it  is 
important  to  understand  what  these  weaknesses  mean  and  how  they  affect 
the  government’s  operations.  The  following  sections  describe  the  five  types 
of  weaknesses  and  provide  examples  identified  by  the  agencies’  auditors. 

One  of  the  federal  financial  systems  requirements  is  that  agencies’  financial 
management  systems  be  integrated.^"*  According  to  the  CFO  Act,  agencies 
are  to  develop  and  maintain  an  integrated  accounting  and  financial 
management  system  that  complies  with  federal  systems  requirements  and 
provides  for  (1)  complete,  reliable,  consistent,  and  timely  information  that 
responds  to  the  financial  information  needs  of  the  agency  and  facilitates 
the  systematic  measurement  of  performance,  (2)  the  development  and 
reporting  of  cost  information,  and  (3)  the  integration  of  accounting, 
budgeting,  and  program  information.  In  this  regard,  0MB  Circular  A- 127, 
Financial  Management  Systems,  requires  agencies  to  establish  and 
maintain  an  integrated  financial  management  system  that  conforms  with 
JFMIP’s  functional  requirements. 

When  agencies  do  not  have  an  integrated  financial  management  system — 
which  includes  a  budget  system  and  program  systems  that  maintain 
financial  information,  such  as  logistics,  personnel,  and  acquisition 
systems — they  are  often  forced  to  rely  on  ad  hoc  programming,  analysis,  or 
actions — such  as  taking  physical  inventories  solely  for  the  purpose  of 
determining  what  assets  they  have  on  hand  rather  than  verifying  amounts 
recorded  in  the  financial  system — to  satisfy  financial  reporting  and  analysis 
responsibilities.  In  these  situations,  agencies  must  expend  major  effort  and 
resources,  and  some  agencies  rely  heavily  on  external  consultants  to 
develop  information  that  their  systems  should  be  able  to  provide  on  a  daily 
or  recurring  basis.  In  addition,  opportunities  for  errors  are  significantly 
increased  when  agencies’  systems  are  not  integrated. 

Modern,  integrated  financial  systems  rely  on  transaction-based  entries  to 
update  all  relevant  accounts,  be  they  for  budgetary  control,  proprietary 
accounting  objectives,  or  program  management.  In  these  modern, 


^^Federal  financial  ^stem  requirements  define  an  integrated  financial  system  as  one  that 
coordinates  a  number  of  previously  unconnected  functions  to  improve  overall  efficiency 
and  control.  Characteristics  of  such  a  system  include  (1)  standard  data  classifications  for 
recording  financial  events,  (2)  common  processes  for  processing  similar  transactions, 

(3)  consistent  internal  controls  over  data  entry,  transaction  processing,  and  reporting,  and 

(4)  a  system  design  that  eliminates  unnecessary  duplication  of  transaction  entry. 
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integrated  systems,  financial  data  are  carried  in  a  common  format,  and  the 
effects  of  financial  transactions  in  one  application  are  accurately 
transmitted  to  other  affected  applications.  Accordingly,  aside  from  the 
timeliness  in  recording  transactions,  the  use  of  integrated  systems  largely 
negates  the  risk  of  out-of-balance  situations  and  data-entry  errors.  Thus, 
agencies  can  have  at  their  disposal  information  that  can  quickly  provide 
year-to-date  balances,  mitigate  the  need  for  extensive  reconciliation 
procedures,  and  more  important,  can  be  used  for  analysis  throughout  the 
year. 

A  continuing,  serious  problem  is  that  agencies  lack  modern,  integrated 
financial  management  systems.  As  shown  in  table  5,  auditors  for  15  of  the 
21  agencies  with  noncompliant  systems  reported  this  as  a  problem.  For 
example,  as  we  testified  in  February  2000,^^  the  Internal  Revenue  Service 
(IRS)  had  to  focus  substantial  efforts  on  developing  compensating 
processes  to  work  around  its  serious  systems  and  internal  control 
weaknesses  to  derive  year-end  balances  for  its  financial  statements.^® 
Because  IRS’  aging  financial  management  systems  have  not  been 
redesigned  to  meet  current  systems  requirements  and  financial  reporting 
standards,  IRS’  approach  to  preparing  financial  statements  relied  heavily 
on  costly,  time-consuming  processes;  statistical  projections;  and  external 
consultants  to  derive  year-end  balances.  For  instance,  IRS  continues  to 
have  pervasive  problems  in  managing  and  reporting  unpaid  assessments.^^ 
IRS  does  not  have  a  subsidiary  ledger  that  tracks  and  accumulates  unpaid 
assessments  and  their  status  on  an  ongoing  basis.  The  absence  of  the 
subsidiary  ledger  adversely  affects  IRS*  ability  to  effectively  manage  and 
accurately  report  these  assessments.  Typically,  an  entity’s  accounts 
receivable  balances  would  be  supported  by  detailed  records,  listings,  or  a 
subsidiary  ledger  of  individual  amounts,  which  are  all  part  of  an  integrated 
financial  management  system.  To  compensate  for  the  lack  of  an  unpaid 
assessment  subsidiary  ledger,  IRS  uses  ad  hoc  programs  that  extract  data 


Internal  Revenue  Service:  Results  of  Fiscal  Year  1999  Financial  Statement  Audit  (GAO/ 
T-AIMD-00-104,  February  29, 2000). 

^®The  Department  of  the  Treasury  is  1  of  the  21  agencies  whose  systems  were  reported  as 
noncompliant.  The  noncompliance  was  due,  among  other  things,  to  IRS’  systems  problems. 

^^Unpaid  assessments  consist  of  amounts  for  which  (1)  IRS  can  support  the  existence  of  a 
receivable  through  taxpayer  agreement  or  a  favorable  court  ruling  (federal  taxes 
receivable),  (2)  neither  the  taxpayer  nor  the  court  has  affirmed  that  the  amounts  are  owed 
(compliance  assessments),  and  (3)  IRS  does  not  expect  further  collections  due  to  factors 
such  as  the  taxpayer’s  death,  bankruptcy,  or  insolvency  (write-offs). 
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Inadequate  Reconciliation 
Procedures 


from  the  tax  master  files — its  database  of  taxpayer  information.  However, 
as  in  past  years,  the  results  still  required  significant  adjustments  totaling 
tens  of  billions  of  dollars  before  taxes  receivable  could  be  reliably  reported 
on  the  balance  sheet.  IRS’  top  management  recognizes  this  and  has 
demonstrated  a  strong  commitment  to  developing  an  integrated  system  as 
part  of  tax  systems  modernization. 

A  reconciliation  process,  even  if  performed  manually,  is  a  valuable  part  of  a 
sound  financial  management  system.  In  fact,  the  less  integrated  the 
financial  management  system,  the  greater  the  need  for  adequate 
reconciliations  because  data  for  the  same  transaction  may  be  separately 
entered  in  multiple  systems.  Reconciliation  of  records  from  the  multiple 
systems  would  ensure  that  transaction  data  were  entered  correctly  in  each 
one.  Reconciliation  is  also  an  important  control  for  establishing  agreement 
between  two  sets  of  independently  maintained  but  related  records  because 
it  helps  to  ensure  the  integrity  of  the  underlying  accounting  data  supporting 
the  financial  statements.  For  example,  in  a  private  company,  the  ledger 
account  for  Cash  in  Bank  is  reconciled  with  the  bank  statement  received 
from  the  bank,  and  the  home  office  record  of  shipments  to  a  branch  office 
is  reconciled  with  the  record  of  receipts  maintained  by  the  branch.  Our 
recently  updated  Standards  for  Internal  Control  in  the  Federal  Government 
highlight  reconciliation  ais  a  key  control  activity. 

As  shown  in  table  5,  auditors  for  15  of  the  21  agencies  with  noncompliant 
systems  reported  that  the  agencies  had  reconciliation  problems,  including 
difficulty  reconciling  their  Fund  Balance  with  Treasury  accounts^®  with  the 
Department  of  the  Treasury’s  records.  Treasury  policy  requires  agencies  to 
reconcile  their  accounting  records  with  Treasury  records  monthly,  which  is 
comparable  to  individuals  reconciling  their  checkbooks  to  their  monthly 
bank  statements.  However,  such  reconciliations  are  not  being  routinely 
performed. 


“Agencies  record  their  budget  spending  authorizations  in  their  Fund  Balance  with  Treasury 
accounts.  Agencies  increase  or  decrease  these  accounts  as  they  collect  or  disburse  funds. 
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Noncompliance  With  the  SGL 


For  example,  the  Department  of  Education’s  auditors  reported  that 
Education  did  not  perform  proper  or  timely  reconciliations  of  its  financial 
accounting  records  throughout  fiscal  year  1999.^®  And,  at  fiscal  year-end, 
the  balance  in  Education’s  Fund  Balance  with  Treasury  account  varied 
considerably  from  the  related  balance  reported  by  Treasury.  In  order  to 
make  the  account  balances  agree.  Education  made  an  unsupported 
adjustment  of  a  net  amount  of  about  $244  million  to  its  Fund  Balance  with 
Treasury  account.  This  means  that  Education  simply  changed  its  records  to 
agree  with  Treasury  balances  without  adequately  researching  the  causes 
and  reconciling  the  differences.  Because  Education  had  not  been 
performing  periodic  reconciliations  and  discerning  reasons  for  differences 
on  an  ongoing  basis,  it  could  not  determine  which  records,  if  any,  were 
correct  and,  accordingly,  relied  on  Treasury’s  records,  not  its  own. 

Implementing  the  SGL  at  the  transaction  level  is  one  of  the  major 
requirements  of  FFMIA.  However,  as  shown  in  table  5,  auditors  for  14  of 
the  21  agencies  with  noncompliant  systems  reported  that  the  agencies’ 
systems  did  not  comply  with  SGL  requirements.  By  not  implementing  the 
SGL,  agencies  are  challenged  to  provide  consistent  financial  information 
across  their  component  entities  and  functions.  The  effect  of  such 
differences  is  further  compounded  at  the  governmentwide  level  and 
contributed  to  our  disclaimer  of  opinion  on  the  U.S.  government’s 
consolidated  financial  reports  for  fiscal  years  1997, 1998,  and  1999  because 
the  government  could  not  ensure  that  the  information  in  its  financial 
statements  was  properly  and  consistently  compiled.®® 


^The  U.S.  Department  of  Education,  Audited  Financial  Statements,  Year  Ended 
September  30, 1999,  Report  of  Independent  Auditors,  Ernst  &  Young  LLP,  February  2, 2000. 
Also  see  Financial  Management:  Financial  Management  Weaknesses  at  the  Department  of 
Education  (GAO/T-AIMD-00-50,  December  6, 1999),  Financial  Management:  Education 
Faces  Challenges  in  Achieving  Financial  Management  Reform  (GAO/T-AIMD-00- 106, 

March  1, 2000),  and  Financial  Management:  Education's  Financial  Management  Problems 
Persist  (GAO/T-AIMD-00-180,  May  24, 2000). 

^Financial  Audit:  1997  Consolidated  Financial  Statements  of  the  United  States  Government 
(GAO/AIMD-98-127,  March  31, 1998),  Financial  Audit  1998  Financial  Report  of  the  United 
States  Government  (GAO/AIMD-99-130,  March  31, 1999),  and  Financial  Audit:  1999  Financial 
Report  of  the  United  States  Government  (GAO/AIMD-00-131,  March  31, 2000). 
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In  March,  a  Treasury  official  testified  that  the  federal  government  needs  to 
increase  the  use  of  the  SGL  in  agency  accounting  systems  to  improve  the 
reliability  and  accuracy  of  financial  information.^*  The  official  stated 

“Our  ability  to  prepare  the  consolidated  financial  report  using  SGL  data  so  that  it  is 
consistent  with  data  in  agency  statements  is  hampered  by  the  fact  that  a  large  number  of 
agencies  do  not  properly  use  the  SGL.  In  many  instances,  agencies  cannot  adequately 
produce  and  send  the  SGL  data  to  Treasury  because  their  systems  do  not  record  accounting 
events  using  the  SGL  at  the  transaction  level  as  mandated  by  the  FFMIA.  This  results  in 
additional  workload  and  processes  to  ensure  that  amounts  are  recorded  in  the  proper 
accounts.  Additionally,  this  frustrates  attempts  to  maximize  efficiency  through  the  creation 
of  automated  analytical  tools.” 

For  example,  the  Agency  for  International  Development’s  (AID)  IG 
reported  that  AID  did  not  record  accounts  receivable  in  accordance  with 
the  SGL  at  the  transaction  level.“  AID  relied  on  data  calls^^  to  obtain  the 
total  amount  of  outstanding  accounts  receivable  because  it  did  not  have 
integrated  financial  management  systems.  These  data  calls  were  posted  to 
the  general  ledger  at  the  summary  level  as  opposed  to  the  transaction  level 
as  required.  According  to  the  IG,  by  using  data  calls  to  determine 
outstanding  accounts  receivable,  AID  is  at  risk  that  the  information 
obtained  is  not  accurate  or  complete. 

One  of  FFMIA’s  requirements  is  that  agencies’  financial  management 
systems  comply  with  applicable  federal  accounting  standards.  As  shown  in 
table  5,  auditors  for  15  of  the  21  agencies  with  noncompliant  systems 
reported  that  the  agencies  had  problems  complying  with  one  or  more  of 
these  standards.  Some  agencies  have  experienced  difficulty  implementing 
the  standards  because  their  financial  management  systems  are  not  capable 
of  producing  the  financial  data  needed.  FASAB  continues  to  deliberate  on 
new  and  emerging  accounting  issues  that  could  result  in  its  issuing 
additional  standards;  therefore,  agencies’  systems  also  must  be  able  to 
accommodate  any  standards  that  may  be  issued  in  the  future. 


Lack  of  Adherence  to  Federal 
Accounting  Standards 


®'i4re  the  Financial  Records  of  the  Federal  Government  Reliable?  Testimony  of  Donald  V. 
Hammond,  Fiscal  Assistant  Secretary,  Department  of  the  Treasury,  March  31 ,  2000. 

^Reports  on  USAID’s  Consolidated  Financial  Statements,  Internal  Controls,  and 
Compliance  for  Fiscal  Year  1999  (Report  No.  0-000-00-006-F,  February  18, 2000). 

’’Data  calls  is  a  term  used  to  describe  the  process  of  requesting  that  various  offices  provide 
outstanding  balances  as  of  year-end.  The  resulting  reports  are  prepared  from  data  contained 
outside  the  formal  accounting  system. 
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For  example,  the  processes  and  procedures  used  by  the  Department  of 
Agriculture’s  (USDA)  lending  agencies  to  estimate  and  reestimate  loan 
subsidy  costs  do  not  comply  with  SFFAS  No.  2,  Accounting  for  Direct 
Loans  and  Loan  Guarantees.  SFFAS  No.  2,  which  generally  mirrors  the 
requirements  of  the  Federal  Credit  Reform  Act  of  1990,  contains  guidance 
for  agencies  to  estimate  the  cost  of  direct  and  guaranteed  loan  programs 
when  preparing  their  annual  budgets.  The  data  used  for  these  budgetary 
estimates  are  generally  reestimated  after  the  fiscal  year-end  to  reflect  any 
changes  in  actucd  loan  performance  since  the  budget  was  prepared.  SFFAS 
No.  2  also  contains  guidance  for  recording  the  reestimated  cost  of  direct 
loans  and  the  reestimated  liability  for  loan  guarantees  in  the  agency’s 
financial  statements.  Further,  SFFAS  No.  2  states  that  agencies  should  use 
historical  experience  as  a  primary  factor  upon  which  to  develop  estimates 
of  future  loan  performance. 

We  testified  in  March  that  USDA  was  unable  to  develop  reasonable 
estimates  of  the  costs  of  its  loan  programs  because  its  financial  systems 
were  not  able  to  capture  the  data  needed  to  make  these  estimates.^^  Also, 
USDA  lacked  historical  information  on  borrower  behavior,  such  as  how 
many  borrowers  will  pay  early,  pay  late,  or  default  on  their  loans  and  at 
what  point  in  time.  As  a  result,  the  Congress  and  other  decisionmakers  do 
not  know  whether  they  can  rely  on  the  agency-reported  costs  of  USDA’s 
loan  programs  included  in  the  agency’s  budget  request  and  in  its  annual 
financial  statements — estimated  to  be  in  excess  of  $27.3  billion  as  of 
September  30, 1999 — for  programmatic  and  budgetary  decision-making. 
Cost  estimates  based  on  unreliable  data  can  affect  the  availability  of  credit 
programs  to  potential  borrowers  because  changes  in  these  estimates  can 
affect  the  number  and  amount  of  loems  and  guarantees  that  can  be  made. 


^Financial  Management:  USDA  Faces  Major  Financial  Management  Challenges  (GAO/ 
T-AIMD-00-115,  March  21,  2000). 
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Weak  Security  Over  Information 
Systems 


Information  security  weaknesses  are  one  of  the  primary  causes  of  systems’ 
noncompliance  with  FFMIA  and  a  huge  concern  for  federal  agencies  and 
the  general  public.  Even  if  agencies’  systems  were  integrated,  complied 
with  the  SGL,  and  stringently  adhered  to  federal  accounting  standards, 
without  strong  information  security  controls,  there  is  still  the  risk  that  the 
systems  would  not  be  able  to  provide  reliable,  useful,  and  timely  data.  As 
we  testified  last  year  and  earlier  this  year,  hacker  attacks  have  shown  just 
how  quickly  computer  viruses — such  as  Melissa  and  ILOVEYOU — can 
spread  and  just  how  vulnerable  federal  information  systems  are  to  such 
computer  attacks.^®  These  hacker  attacks  have  clearly  highlighted  the 
urgent  and  serious  need  for  stronger  agency  and  governmentwide 
protection  over  agency  data. 

As  shown  in  table  5,  auditors  for  all  21  agencies  with  noncompliant  systems 
reported  information  security  weaknesses  as  a  problem  in  fiscal  year  1999. 
Further,  our  analyses  as  well  as  those  of  agency  IGs  show  that  virtually  all 
of  the  largest  federal  agencies  have  significant  computer  security 
weaknesses.^®  These  weaknesses,  which  we  designated  as  a 
governmentwide  high-risk  area  in  1997  and  1999,®^  are  placing  enormous 
amounts  of  federal  assets  at  risk  of  inadvertent  or  deliberate  misuse, 
financial  information  at  risk  of  unauthorized  modification  or  destruction, 
sensitive  information  at  risk  of  inappropriate  disclosure,  and  critical 
operations  at  risk  of  disruption.  Our  recent  update  to  the  federal 
government’s  internal  control  standards  highlights  the  need  for  adequate 
control  over  automated  information  systems  to  ensure  protection  from 
inappropriate  access  and  unauthorized  use  by  hackers  and  other 
trespassers  or  inappropriate  use  by  agency  personnel. 

The  most  serious  reported  information  security  problem  is  inadequately 
restricted  access  to  agency  data,  including  sensitive  data  such  as  taxpayer 
records,  personal  medical  information,  and  law  enforcement  data.  Other 


^Information  Security:  The  Melissa  Computer  Virus  Demonstrates  Urgent  Need  for  Stronger 
Protection  Over  Systems  and  Sensitive  Data  (GAO/T-AIMD-99-146,  April  15, 1999)  and 
Information  Security:  “ILOVEYOU"  Computer  Virus  Emphasizes  Critical  Need  for  Agency 
and  Governmentwide  Improvements  (GAOAT-AIMD-OO-l?!,  May  10, 2000). 

^Critical  Infrastructure  Protection:  Comments  on  the  National  Plan  for  Information  Systems 
Protection  (GAO/r-AIMD-00-72,  February  1, 2000)  and  Federal  Information  Security: 
Actions  Needed  to  Address  Widespread  Weaknesses  (GAO/T-AIMD-00-135,  March  29, 2000). 

^High-Risk  Series:  An  Overview  (GAO/HR-97- 1 ,  February  1 997)  and  High-Risk  Series:  An 
Update  (GAO^R-99-1,  January  1999). 
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types  of  information  security  weaknesses  include  inadequacies  in 
segregating  duties  to  help  ensure  that  people  do  not  conduct  unauthorized 
actions  without  detection,  preventing  unauthorized  software  from  being 
implemented,  and  mitigating  and  recovering  from  unplanned  interruptions 
in  computer  service.  Unresolved  information  security  weaknesses  could 
adversely  affect  the  ability  of  agencies  to  produce  accurate  data  for 
decision-making  and  financial  reporting  because  such  weaknesses  could 
compromise  the  reliability  and  availability  of  data  that  are  recorded  in  or 
transmitted  by  an  agency’s  financial  management  systems. 

For  example,  the  Department  of  Health  and  Human  Services’  (HHS)  IG 
cited  weaknesses  in  the  entitywide  security  structure  at  the  Health  Care 
Financing  Administration  (HCFA),  which  administers  the  Medicare 
program.^  HCFA  relies  on  extensive  computer  operations  at  both  its 
central  office  and  the  Medicare  contractors  to  administer  the  Medicare 
program  and  to  process  and  account  for  Medicare  expenditures,  which 
totaled  more  than  $200  billion  in  fiscal  year  1999.  Controls  over  these 
operations  are  essential  to  ensure  the  integrity,  confidentiality,  and 
reliability  of  critical  data  while  reducing  the  risk  of  errors,  fraud,  and  other 
illegal  acts.  These  control  weaknesses  do  not  effectively  prevent 
unauthorized  access  to  and  disclosure  of  sensitive  Medicare  information. 

In  recognition  of  these  serious  security  weaknesses,  we  have  issued  guides 
to  help  agencies  improve  security  over  their  information  systems.  As 
mentioned  previously,  auditors  for  the  21  agencies  with  noncompliant 
systems  reported  weaknesses  in  information  systems  security  as  a  cause  of 
FFMIA  noncompliance.  We  have  identified  best  practices  for  improving 
information  security  management,  which  we  published  in  two  guides: 

•  Information  Security  Management:  Learning  From  Leading 
Organizations  (GAO/AIMD-98-68,  May  1998)  and 

•  Information  Security  Risk  Assessment:  Practices  of  Leading 
Organizations  (GAO/AIMD-00-33,  November  1999). 


^Report  on  the  Financial  Statement  Audit  of  the  Department  of  Health  and  Human  Services 
for  Fiscal  Year  1999  (Report  No.  A-17-99-00002,  Februaiy  2000). 
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Our  guides  are  consistent  with  guidance  on  information  security  program 
management  provided  to  agencies  by  0MB  and  the  National  Institute  of 
Standards  and  Technology  (NIST).^  In  addition,  the  May  1998  guide  has 
been  endorsed  by  the  federal  Chief  Information  Officers  Council  as  a  useful 
resource  for  agency  managers. 

All  of  these  financial  systems  problems  date  back  many  years  and  agencies 
recognize  the  extent  and  severity  of  these  financial  management 
deficiencies.  The  serious  and  pervasive  nature  of  these  issues  emphasizes 
the  importance  of  developing  and  implementing  a  strategy  to  overcome 
these  problems.  As  we  discuss  in  the  next  section,  agencies  have  prepared 
remediation  plans  to  address  their  problems,  but  these  plans  need  to  be 
more  detailed  to  guide  agency  management  and  staff  as  they  resolve  their 
agencies’  financid  management  problems. 


Remediation  Plans 
Continue  to  Lack 
Important  Details 


As  required  by  FFMIA,  agencies  prepared  remediation  plans  describing  the 
corrective  actions  they  plan  to  take  to  resolve  their  problems  and  bring 
their  systems  into  substantial  compliance  with  FFMIAs  requirements.  For 
our  report  on  FFMIA  compliance  last  year/®  we  reviewed  remediation 
plans  agencies  prepared  to  address  problems  identified  in  the  fiscal  year 
1997  financial  statement  audits.  We  concluded  that  the  majority  of  the 
plans  lacked  sufficient  detail  to  be  adequate  tools  for  agency  management 
and  staff  to  use  in  resolving  financial  management  problems.  For  this 
report,  we  reviewed  agencies’  fiscal  year  1998  remediation  plans'*^  and 
determined  that  while  overall  the  plans  improved  slightly  over  those  for 
fiscal  year  1997,  many  plans  still  lacked  detailed  steps,  target  dates,  and 
descriptions  of  the  resources  needed  for  executing  the  corrective  actions. 
Further,  some  of  the  corrective  actions  included  in  the  remediation  plans 
we  reviewed  did  not  fully  address  the  problems  they  are  intended  to 


^^OMB  guidance  is  contained  in  its  Circular  A- 130,  Appendix  III,  Security  of  Federal 
Automated  Information  Resources,  updated  February  1996.  NIST  has  issued  numerous 
Federal  Information  Processing  Standards  as  well  as  a  comprehensive  description  of  basic 
concepts  and  techniques  entitled  An  Introduction  to  Computer  Security:  The  NIST 
Handbook,  Special  Publication  800-12,  October  1995,  and  Generally  Accepted  Principles  and 
Practices  for  Securing  Information  Technology  Systems,  published  in  September  1996. 

Financial  Management:  Federal  Financial  Management  Improvement  Act  Results  for  Fiscal 
Year  1998  (GAO/AIMD-00-3,  October  1, 1999). 

Remediation  plans  addressing  issues  identified  in  the  fiscal  year  1999  financial  statement 
audits  were  not  due  to  0MB  until  December  2000. 
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correct.  As  we  reported  last  year,  remediation  plans  need  to  be  sufficiently 
detailed  to  provide  a  “road  map”  for  agency  management  and  staff  to 
resolve  financial  management  problems.  The  severity  of  problems  facing 
agencies  as  they  attempt  to  replace  or  overhaul  old  and  outdated  financial 
systems  and  resolve  serious  information  security  weaknesses,  among  other 
things,  highlights  the  need  for  detailed  remediation  plans. 

Of  the  21  agencies  whose  systems  were  reported  to  be  noncompliant  with 
FFMIA  in  fiscal  year  1998, 19  prepared  remediation  plans."^^  Two  agencies— 
the  Social  Security  Administration  (SSA)  and  the  Federal  Emergency 
Management  Agency  (FEMA) — did  not  submit  remediation  plans  for  fiscal 
year  1998  to  0MB  because  agency  management  determined  that  their 
systems  were  in  substantial  compliance  with  FFMIA.  While  SSA  and  FEMA 
management  acknowledged  that  the  weaknesses  identified  by  the  auditors 
exist,  they  did  not  agree  with  the  auditors  that  the  weaknesses  resulted  in 
lack  of  “substantial”  compliance.  SSA  and  FEMA  have  provided  comments, 
including  corrective  actions,  in  response  to  the  auditors’  recommendations. 

FFMIA  provides  that  if  the  compliance  determination  of  the  agency  head 
differs  from  the  auditors’  findings,  the  Director  of  0MB  is  to  review  the 
determinations  and  provide  a  report  on  the  findings  to  the  appropriate 
committees  of  the  Congress.  Based  on  discussions  with  0MB  officials, 
0MB  is  not  reviewing  and  has  not  reviewed  such  determinations  in  order  to 
report  to  the  Congress.  According  to  0MB,  if  there  is  a  disagreement 
between  agency  heads  and  auditors,  agency  heads  can  contact  0MB,  and 
0MB  will  work  with  them  on  the  issue.  Further,  although  FFMIA  does  not 
require  a  remediation  plan  if  an  agency  head  determines  the  agency’s 
systems  comply  substantially,  agencies  are  directed  to  address  systems 
weaknesses  in  their  financial  management  improvement  plans  in 
accordance  with  0MB  Circular  A-11. 

We  reviewed  the  19  available  remediation  plans  to  determine  whether 
(1)  they  included  all  the  instances  of  noncompliance  identified  in  the  fiscal 
year  1998  financial  statement  audit  reports,  (2)  the  planned  corrective 
actions  were  accompanied  by  detailed  steps,  (3)  the  corrective  actions,  if 
successfully  implemented,  would  resolve  the  problems,  (4)  they  included 


^^The  Department  of  the  Treasury  did  not  prepare  a  departmentwide  remediation  plan. 
Rather,  the  bureaus  and  offices  of  the  department,  including  the  IRS,  that  had  noncompliant 
systems  prepared  their  own  separate  plans.  For  purposes  of  this  report,  we  considered  the 
individual  plans  together  as  the  overall  Treasuiy  plan. 
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information  about  resources  needed,  and  (5)  they  provided  target  dates  for 
completing  the  corrective  actions.  Figure  1  shows  the  results  of  our 
analysis. 


Figure  1:  Results  of  Review  of  Fiscal  Year  1998  Remediation  Plans 

Number  of  plans 

16  T - 


Are  the  cx)rrective  actions  for  Are  corrective  actions  Will  corrective  actions  Areresources  Included?  Are  time  frames  included? 

all  instances  of  detailed?  resolve  the  problems? 

noncompliance  Included? 


□  Yes  ■  No  ■  Uncertain 


As  shown  in  figure  1, 13  agencies’  remediation  plans  included  corrective 
actions  for  all  the  reported  instances  of  noncompliance  identified  during 
the  fiscal  year  1998  financial  statement  audits,  and  6  agencies’  remediation 
plans  did  not.  IRS  is  an  example  of  an  agency  that  did  not  include 
corrective  actions  for  all  reported  instances  of  noncompliance.  During  our 
audit  of  IRS’  fiscal  year  1999  financial  statements,  we  reviewed  its  fiscal 
year  1998  remediation  plan  dated  December  1999.^^  We  reported  that 


Financial  Audit:  IRS’ Fiscal  Year  1999  Financial  Statements  (GAO/AIMD-00-76, 
February  29, 2000). 
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although  we  identified  noncompliance  with  the  SGL  and  the  inability  to 
report  cost  accounting  information  as  two  reasons  why  IRS’  systems  did 
not  substantially  comply  with  FFMIA  in  fiscal  year  1998,  IRS’  remediation 
plan  did  not  include  corrective  actions  to  address  these  problems. 
However,  in  a  June  2000  update  to  its  remediation  plan,  IRS  included 
actions  to  address  the  SGL  and  cost  accounting  issues. 

Another  problem  we  found  with  some  remediation  plans  is  that  the 
corrective  actions  were  not  always  detailed.  As  shown  in  figure  1, 
corrective  actions  in  14  of  the  19  remediation  plans  were  broadly  stated 
and  did  not  include  detailed  steps  describing  how  actions  are  to  be 
accomplished.  An  example  of  a  plan  with  detailed  corrective  actions  is 
HHS’  remediation  plan.  In  its  plan,  HHS  hzis  proposed  eight  corrective 
actions  for  improving  its  financial  reporting  weaknesses,  including 

•  “Implement  additional  software  to  fully  interface  with  [operating 
divisions’]  systems  by  providing  an  electronic  interface,”  and 

•  “Perform  payroll  reconciliations  three  times  a  year.” 

In  contrast,  one  of  the  corrective  actions  in  DOT’s  remediation  plan  is  to 
implement  an  integrated  financial  management  system  that  substantially 
complies  with  federal  financial  management  systems  requirements.  Based 
on  our  review  of  DOT’s  remediation  plan,  we  found  no  detailed  steps  for 
guiding  this  system’s  implementation.  As  we  discuss  later,  when  an 
agency’s  corrective  actions  involve  implementing  or  replacing  financial 
management  systems,  it  is  important  to  have  a  detailed  plan  that  includes 
adopting  sound  information  technology  investment  and  control  processes. 

While  there  is  a  substantial  amount  of  professional  judgment  associated 
with  assessing  the  adequacy  of  these  plans,  we  determined  that  planned 
corrective  actions  would  likely  not  always  resolve  problems  identified  by 
agencies’  auditors.  As  shown  in  figure  1,  we  determined  that  the  corrective 
actions  in  the  remediation  plans  of  nine  agencies,  if  successfully 
implemented,  would  probably  resolve  the  problems.  It  is  uncertain  whether 
the  corrective  actions  in  the  plans  of  four  agencies  would  resolve  their 
problems,  and  for  six  of  the  agencies,  we  determined  that  the  corrective 
actions  described  in  the  agencies’  remediation  plans  probably  would  not 
resolve  the  problems.  For  example,  we  testified  in  May^^  that  the 


^Department  of  Defense:  Progress  in  Financial  Management  (GAO/T-AlMD/NSIAD-00-163, 
May  9,  2000). 
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Department  of  Defense’s  (DOD)  fiscal  year  1998  remediation  plan,  while  an 
improvement  over  the  previous  plan,  did  not  address,  among  other  things, 
how  the  planned  and  ongoing  improvement  initiatives  will  result  in  the 
target  financial  management  environment,  including  how  the  feeder 
systems’  data  integrity  will  be  improved.  Until  DOD’s  remediation  plan 
addresses  this  and  other  key  elements  there  can  be  no  assurance  that  the 
corrective  actions  taken  will  fully  resolve  the  underlying  problems. 

Although  0MB  guidance  and  FFMIA  state  that  remediation  plans  are  to 
include  intermediate  target  dates  and  resources  necessary  to  achieve 
substantial  compliance,  several  of  the  remediation  plans  were  lacking 
resource  information  and  a  few  of  the  plans  were  lacking  target  dates.  As 
shown  in  figure  1, 13  of  the  19  remediation  plans  we  reviewed  did  not 
include  resources  needed.  In  the  six  plans  that  did  include  resources 
needed,  the  information  was  not  always  included  for  every  corrective 
action.  Five  of  the  19  plans  did  not  include  target  dates;  however,  as  was 
the  case  with  resource  information,  when  target  dates  were  included,  they 
were  not  always  included  for  individual  corrective  actions.  Resource 
information  is  important  for  agencies  and  0MB  to  determine  whether 
corrective  actions  can  realistically  be  undertaken.  Setting  specific 
intermediate  target  dates  will  help  keep  agencies  on  track  as  they 
implement  corrective  actions. 


Systems  Replacement 
Projects  Emphasize  a  Need 
for  Detailed  Plans 


The  importance  of  having  a  good  remediation  plan  becomes  more  evident 
when  corrective  actions  in  remediation  plans  involve  information 
technology  (IT)  investments,  such  as  implementing  or  replacing  financial 
management  systems  or  software.  We  have  reported  that  in  the  past, 
agencies  have  struggled  to  develop  and  implement  new  systems  on  time 
and  within  budget  and  that  billions  of  dollars  have  been  wasted  on  systems 
development  projects.^® 


Major  Management  Challenges  and  Program  Risks:  A  Govemmentwide  Perspective 
(GAO/OCG-99-1,  January  1999). 
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Planning  for  and  executing  systems  development  projects  present  major 
challenges  for  many  agencies.  For  example,  the  Department  of  Education 
implemented  a  new  accounting  system  that  was  intended  to  be  operational 
for  fiscal  year  1998.  In  a  December  1999  testimony,^®  we  reported  that 
pervasive  weaknesses  in  the  design  and  operation  of  Education’s  financial 
management  systems,  among  other  things,  prevented  Education  from 
reliably  reporting  on  the  results  of  its  operations  in  fiscal  year  1998. 
Weaknesses  in  the  new  accounting  system  included  the  inability  to  perform 
an  automated  year-end  closing  process  and  directly  produce  consolidated 
financial  statements  as  would  normally  be  expected  from  such  systems. 
The  systems  limitations  contributed  to  the  delay  in  Education  submitting 
its  fiscal  year  1998  financial  statements  to  the  auditors  and  to  Education’s 
failure  to  meet  the  statutory  due  date  for  issuing  its  audited  financial 
statements  for  fiscal  year  1998.  Because  of  these  problems.  Education’s 
auditors  recommended,  among  other  things,  that  Education  define  and 
document  the  information  system  requirements  needed  to  manage  its 
operations  efficiently.^^ 


^^Financial  Management:  Financial  Management  Weaknesses  at  the  Department  of 
Education  (GAO/T-AIMD-00-50,  December  6, 1999). 

^^Department  of  Education,  Fiscal  Year  1998  Consolidated  Financial  Statements,  Ernst  & 
Young  LLP.  November  1999. 
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The  Department  of  Housing  and  Urban  Development  (HUD)  also 
experienced  problems  after  it  failed  to  successfully  plan  and  implement  a 
new  system.  To  correct  financial  management  deficiencies,  HUD  initiated  a 
project  to  design  and  implement  an  integrated  financial  system,  HUD’s 
Central  Accounting  and  Program  System  (HUDCAPS);  however,  the  IG 
found  problems  with  the  project. ‘'®  The  IG  reported  that  the  decision  to 
implement  HUDCAPS  as  the  core  accounting  system  for  the  department 
was  made  without  a  complete  and  thorough  analysis  of  alternatives.  After 
much  effort,  schedule  delays,  and  cost  increcises,  HUDCAPS  was  prepared 
to  operate  as  a  departmentwide  system  beginning  in  fiscal  year  1999. 
However,  the  IG  determined  that  <is  implemented,  HUDCAPS  did  not  fully 
comply  with  federal  financial  management  systems  requirements  and  that  a 
lack  of  Integration  between  program  and  accounting  systems  necessitated 
duplicate  data  entry.  Further,  data  in  a  separate  system  at  HUD’s  Federal 
Housing  Authority  were  not  updated  in  HUDCAPS  in  a  timely  manner.  The 
problems  with  HUDCAPS  caused  HUD  to  delay  closing  of  the  general 
ledger  and  preparation  of  the  financial  statements,  which,  in  turn, 
contributed  to  the  IG’s  disclaimer  of  opinion^®  on  HUD’s  fiscal  year  1999 
financial  statements. 

Fourteen  agencies  have  plans  to  implement  or  overhaul  their  core  financial 
management  systems  or  to  install  new  software.  Some  of  these  14  agencies 
are  in  the  process  of  implementing  new  systems  or  software,  while  others 
are  in  the  planning  stages.  Implementing  or  overhauling  financial 
management  systems  will  understandably  take  time,  and  the  systems  may 
not  be  operational  for  several  years.  For  example,  HCFA  has  several 
projects  planned  and  underway  that  are  intended  to  correct  problems 
identified  during  financial  statement  audits.  As  we  reported  in  March,® 
these  projects  include  (1)  developing  an  integrated  accounting  system  to 
include  both  the  tracking  of  Medicare  overpayments  and  financial 
reporting  and  (2)  developing  two  new  systems  to  improve  oversight  and 
financial  reporting  over  Medicare  receivables.  While  the  integrated 


**  Report  on  Efforts  to  Audit  the  U.S.  Department  of  Housing  and  Urban  Deveiopment's 
Fiscai  Year  1999  Financial  Statements  (OO-FO- 177-0003,  March  1, 2000). 

disclaimer  of  opinion  means  the  auditors  are  unable  to  determine  the  overall  fairness  of 
the  financial  statements.  This  type  of  result  might  occur  if  the  audit  revealed  the  system  of 
internal  control  to  be  grossly  inadequate  or  if  the  auditors  for  any  reason  did  not  or  could 
not  perform  sufficient  work  to  have  a  basis  for  an  opinion. 

^Medicare  Financial  Management:  Further  Improvements  Needed  to  Estabiish  Adequate 
Financial  Control  and  Accountability  (GAO/AIMD-00-66,  March  15, 2000). 
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accounting  system  has  the  potential  to  provide  major  improvements  in 
HCFA’s  financial  management,  successful  implementation  will  require  well- 
defined  plans  and  sustained  management  focus  over  the  3-  to  5-year 
implementation  period.  HCFA  hired  an  experienced  systems  development 
specialist  to  help  ensure  successful  implementation  of  this  integrated 
accounting  system. 

To  ensure  that  IT  dollars  are  directed  toward  prudent  investments  designed 
to  achieve  cost  savings,  increase  productivity,  and  improve  the  timeliness 
and  quality  of  service  delivery,  agencies  need  to  apply  the  framework 
outlined  in  the  Clinger-Cohen  Act  of  1996  and  implementing  guidance.®^ 
This  includes  adopting  sound  IT  investment  and  control  processes, 
designing  well-developed  architectures  to  guide  information  flows  and 
technical  standards,  and  establishing  disciplined  approaches  for 
developing  and  acquiring  computer  software. 

In  this  regard,  we  have  worked  on  strengthening  federal  agency 
management  of  IT  investment  and  have  developed  guidance  based  on  best 
practices  in  the  public  and  private  sectors  related  to  IT  investment.  Two 
guides  resulting  from  our  work  are 

•  Assessing  Risks  and  Returns:  A  Guide  for  Evaluating  Agencies  *  IT 
Investment  Decision-making  (GAO/ AlMD-lO.l. 13,  February  1997)  and 

•  Executive  Guide:  Measuring  Performance  and  Demonstra  ting  Results  of 
Information  Technology  Investments  (GAO/AIMD-98-89,  March  1998). 

However,  it  is  important  to  remember  that  these  guides  are  not  a  “silver 
bullet”  to  guarantee  success.  Rather,  the  key  is  for  organizations  to  adopt 
and  effectively  implement  policies  and  procedures,  such  as  those  described 
in  the  guides,  that  foster  the  necessary  discipline  for  the  organizations  to 
produce  predictable  and  repeatable  results.  Therefore,  it  is  critical  that 
each  organization  first  choose  the  practices  that  are  compatible  with  its 
culture  and  then  effectively  implement  those  practices. 

0MB  officials  told  us  that  they  are  working  with  agencies  regarding  the 
application  of  the  framework  outlined  in  the  Clinger-Cohen  Act.  According 
to  the  0MB  officials,  0MB  s  review  of  agencies’  IT  capital  asset  planning 


®‘The  Clinger-Cohen  Act  builds  on  the  best  practices  of  leading  public  and  private 
organizations  by  requiring  agencies  to  better  link  IT  planning  cind  investment  decisions  to 
program  missions  and  goals. 
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processes  is  linked  to  its  review  of  agencies’  remediation  plans.  This  review 
process  is  discussed  further  in  the  next  section. 


0MB  Plays  an 
Important  Role  by 
Providing  Guidance  on 
FFMIA  Implementation 
Issues 


OMB  plays  a  vital  role  in  providing  agencies  and  auditors  with  guidance 
and  ensuring  that  agencies  have  adequate  resources  to  effect  the  necessary 
corrective  actions.  Specifically,  OMB  provides  (1)  guidance  and  assistance 
to  agencies  related  to  preparing  remediation  plans,  (2)  FFMIA 
implementation  guidance  for  agencies  and  auditors,  and  (3)  requirements 
for  auditors  of  agency  financial  statements,  including  requirements  for 
reporting  compliance  with  FFMIA. 


RGmediation  Plan  Guidance  The  advisory  role  FFMIA  established  for  OMB  with  respect  to  agency 
and  Assistance  remediation  plans  is  important  for  addressing  the  types  of  problems  we 

noted  in  the  remediation  plans  we  reviewed.  Therefore,  last  year  we 
recommended  that  OMB  work  with  the  agencies  to  ensure  that  all 
remediation  plans  are  prepared  and  submitted  timely.  We  also 
recommended  that  OMB  review  agencies’  plans  for  (1)  detailed  corrective 
actions  that  fully  address  reported  problems,  (2)  inclusion  of  resource 
requirements,  and  (3)  specific  time  frames  needed  to  implement  and 
resolve  problems. 

OMB  officials  told  us  that  they  have  adopted  a  new  approach  for  reviewing 
agencies’  remediation  plans.“  An  integral  part  of  this  new  approach  is 
integrating  FFMIA  and  financial  management  systems  issues,  especially 
plans  to  overhaul  or  replace  financial  management  systems,  with  agencies’ 
IT  capital  planning  and  budgeting  processes.  OMB  officials  told  us  that  they 
met  with  officials  from  20  agencies  this  summer  to  discuss  their  upcoming 
budget  submissions  and  FFMIA  remediation  plans.  The  purpose  of  these 
meetings  was  to  present  OMB’s  new  approach  and  to  let  managers  know 
that  FFMIA  remediation  plans  would  be  considered  in  conjunction  with 
agencies’  capital  asset  plans  and  overall  systems  architectures.  According 
to  OMB  officials,  these  meetings  were  attended  by  officials  and  staff  from 
three  OMB  offices — the  Office  of  Federal  Financial  Management,  the  Office 
of  Information  and  Regulatory  Affairs,  and  the  Office  of  Federal 
Procurement  Policy — as  well  as  OMB’s  resource  management  officers 


“Although  this  approach  Is  new,  according  to  OMB  officials,  remediation  activities 
underway  at  agencies  previously  reported  to  OMB  are  considered  in  this  process. 
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(formerly  known  as  budget  examiners)  assigned  to  the  agencies.  Agency 
officials  attending  the  meetings  included  the  agencies’  CFOs,  chief 
information  officers,  and  budget  and  procurement  executives.  In  addition 
to  the  meetings  held  this  summer,  0MB  has  conducted  training  for  agency 
managers  and  staff  about  its  new  approach  of  integrating  financial 
management  systems  planning  with  IT  strategies  and  capital  budgeting. 

OMB’s  new  approach  should  help  it  carry  out  its  advisory  role  established 
by  FFMIA.  The  meetings  between  0MB  and  agency  officials  can  provide  a 
strategic  perspective  on  financial  and  technical  issues  related  to  developing 
and  implementing  fully  integrated  financial  management  systems.  With  this 
new  approach,  0MB  intends  to  ensure  that  remediation  plans  are 
(1)  integrated  into  the  agency’s  IT  strategy,  (2)  well  documented,  and 
(3)  supported  by  the  agency’s  budget  requests.  However,  because  the 
approach  is  new,  we  cannot  comment  on  whether  it  will  be  successful  in 
improving  agencies’  remediation  plans  and  thus  improve  financial 
management  in  general. 

Guidance  to  Agencies  and 
Auditors 

0MB  has  recently  proposed  revisions  to  0MB  Bulletin  No.  98-08,  Audit 
Requirements  for  Federal  Financial  Statements.  We  have  reviewed  the 
proposed  revisions  relating  to  the  (1)  implementation  guidance  for 
agencies  and  auditors  and  (2)  FFMIA  compliance  reporting  requirements 
for  auditors  of  agencies’  financial  statements.  We  are  working  with  0MB  to 
address  our  concerns. 

Other  Efforts  to 
Improve  Financial 
Management 

1 - - 

Other  efforts  across  government  are  also  underway  to  help  agencies 
improve  their  systems  and  financial  management  overall.  JFMIP  tests 
commercial  off-the-shelf  software  for  compliance  with  current  systems 
requirements  and  updates  and  issues  systems  requirements  documents. 
Also,  tools  for  auditors  and  agencies  to  use  when  reviewing  systems  for 
compliance  with  FFMIA  are  contained  in  an  exposure  draft  of  a  review 
guide  issued  by  JFMIP  and  the  CFO  Council  and  in  checklists  that  we  have 
published. 

JFMIP  Software 
Certification 

An  important  effort  focused  specifically  on  improving  federal  financial 
systems  is  the  work  of  the  JFMIP.  In  a  governmentwide  cooperative  effort 
to  improve  federal  financial  systems,  JFMIP  established  its  Program 
Management  Office  (PMO)  in  1998  with  resources  provided  by  the  24  CFO 
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Act  agencies  to  cissist  agencies  and  vendors  in  developing  and 
implementing  commercial  off-the-shelf  software  that  complies  with  current 
financial  management  system  requirements.  PMO  s  responsibilities  include, 
among  other  things,  developing  comprehensive  testing  vehicles, 
interpreting  requirements,  serving  as  an  information  clearinghouse  for 
federal  financial  systems,  and  facilitating  communication  with  the  private 
sector. 

In  fiscal  year  1999,  PMO  implemented  a  new  software  testing  process  in 
which  it  tests  vendor  products  to  certify  that  they  meet  current  JFMIP 
systems  requirements.  PMO  publishes  the  testing  results  in  its  Web-based 
electronic  repository,  called  the  Knowledgebase,  which  also  includes 
information  for  agencies  and  vendors  about  financial  systems 
requirements,  business  practices,  and  certified  vendor  products.  JFMIP- 
compliant  systems  help  assure  an  agency  that  the  system  properly  records 
transactions  defined  in  JFMIP’s  Core  Financial  System  Requirements. 
However,  agencies  will  still  need  to  define  their  business  requirements  and 
then  compare  the  various  applications  against  those  requirements  to 
identify  gaps.  Once  these  gaps  are  identified,  agencies  need  to  determine 
the  cost,  schedule,  and  performance  impacts  associated  with  these  gaps 
and  determine  the  best  approach  to  accomplishing  the  requirement — 
modifying  the  system  or,  if  the  desired  functionality  is  not  cost  effective, 
eliminating  the  requirement.  0MB  Circular  A-127,  Financial  Management 
Systems,  requires  that  agencies  replacing  software  to  meet  core  financial 
system  requirements  use  off-the-shelf  software  that  has  been  tested  and 
certified  through  the  JFMIP  software  certification  process  as  meeting 
JFMIP  core  financial  system  requirements. 
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Tools  for  Reviowing  JFMIP,  in  cooperation  with  the  CFO  Council,  has  issued  an  exposure  draft 

Compliance  With  FFMIA  ^  guide”  to  assist  agencies  in  reviewing  financial  management  systems 

as  required  by  FFMIA  and  other  legislation.  This  guide  serves  as  a  tool  to 
assist  agency  managers  in  determining  whether  their  agencies’  financial 
management  systems  comply  with  FFMIA,  as  well  as  the  Financial  Integrity 
Act  and  0MB  Circular  A- 1 27.  Although  the  guide  is  written  for  use  by 
agency  managers,  the  guide  will  also  assist  auditors  conducting  reviews 
under  FFMIA  by  helping  them  understand  how  financial  and  program 
managers  evaluated  their  systems.  As  of  September  2000,  the  exposure 
draft  was  being  revised  to  incorporate  final  comments  of  the  JFMIP 
Steering  Committee.” 

We  have  also  published  checklists  to  assist  agencies  in  implementing  and 
monitoring  their  systems  and  to  assist  management  and  auditors  in 
reviewing  systems  to  determine  whether  they  are  in  substantial  compliance 
with  FFMIA.  The  checklists  are  based  on  JFMIP  systems  requirements 
documents.  We  issue  them  when  JFMIP  requirements  are  published  for  the 
first  time  and  when  requirements  are  updated.  Table  6  lists  the  checklists 
we  have  issued  in  final  form  or  as  exposure  drafts. 


Table  6:  Checklists  for  Reviewing  Systems  Under  the  Federal  Financial  Management  Improvement  Act 

Checklist 

Issue  date 

GAO/AIMD-98-21 .2.1  Framework  for  Federal  Financial  Management  System  Checklist 

May  1998 

GAO/AIMD-00-21.2,2  Core  Financial  System  Requirements  Checklist 

February  2000 

GAO/AIMD-OO-21 .2.3  Human  Resources  and  Payroll  Systems  Checklist 

March  2000 

GAO/AIMD-98-21 .2.4  Inventory  System  Checklist 

May  1998 

GAO/AIMD-21 .2.5  Seized  Property  and  Forfeited  Assets  System  Requirements  Checklist  (exposure  draft) 

April  2000 

GAO/AIMD-21-2.6  Direct  Loan  System  Requirements  Checklist 

April  2000 

GAO/AIMD-21-2.7  Guaranteed  Loan  System  Requirements  (exposure  draft) 

August  2000 

GAO/AIMD-21 .2,8  Travel  System  Requirements  Checklist 

May  2000 

GAO/AIMD-99-21 .2.9  System  Requirements  for  Managerial  Cost  Accounting  Checklist 

January  1999 

Financial  Management  Systems  Compliance  Review  Guide,  JFMIP-MI-99-1 5,  October  1999, 
exposure  draft. 

®^The  Steering  Committee  is  responsible  for  the  general  direction  of  JFMIP  and  is  comprised 
of  representatives  from  GAO,  Treasury.  0MB,  0PM,  and  a  program  agency. 
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Lessons  Learned  From 
Year  2000  Efforts 


The  leadership  and  partnerships  established  to  successfully  address  the 
Year  2000  computing  problem  provide  valuable  lessons  that  can  also  be 
used  to  address  financial  management  reform  across  government.  In  our 
October  1999  FFMIA  report,®^  we  noted  that  addressing  Year  2000 
conversion  issues  was  understandably  a  priority  for  federal  agencies  and 
that  Year  2000  preparation  had  resulted  in  delaying  financial  systems 
changes  in  some  agencies.  We  also  reported  that  over  the  long  term,  there 
should  be  residual  benefits  from  Year  2000  efforts.  Now  that  the  federal 
government  has  made  the  successful  conversion  to  Year  2000,  it  can  apply 
those  valuable  lessons  to  other  critical  management  challenges. 


We  testified  in  January  about  the  Year  2000  computing  challenge,  including 
lessons  that  can  be  carried  forward  to  improve  the  management  of 
information  technology  activities.^®  Among  the  lessons  learned  were  the 
importance  of  (1)  providing  high-level  congressional  and  executive  branch 
leadership,  (2)  understanding  the  importance  of  computer-supported 
operations,  (3)  providing  standard  guidance,  (4)  establishing  partnerships, 
(5)  facilitating  progress  and  monitoring  performance,  and  (6)  implementing 
fundamental  IT  improvements.  The  Year  2000  efforts  have  reinforced  an 
understanding  of  the  importance  of  consistent  and  persistent  top 
management  attention,  which  is  essential  to  solving  any  intractable 
problem.  In  a  recently  issued  report  on  how  lessons  learned  can  be  applied 
to  other  management  challenges,  we  reiterated  that  high-level  management 
attention  was  key  to  successfully  meeting  the  Year  2000  challenge.®^  We 
reported  that  while  the  Year  2000  problem  was  technical  in  nature,  it  was 
primarily  a  management  problem,  with  organizations  facing  the  risk  of 
disruptions  of  their  core  business  processes.  Federal  officials  and  other 
participants  in  a  Year  2000  lessons  learned  summit  cited  high-level 
leadership  and  top  management  involvement  as  key  to  Year  2000  success. 

According  to  officials  at  0MB,  the  Year  2000  problem  also  gave  agency 
chief  information  officers  a  “crash  course”  in  how  to  accomplish  projects. 
Many  chief  information  officers  were  relatively  new  in  their  positions,  and 


Financial  Management:  Federal  Financial  Management  Improvement  Act  Results  for  Fiscal 
Year  1998  (GAO/AIMD-00-3,  October  1, 1999). 

“  Year  2000  Computing  Challenge:  Leadership  and  Partnerships  Result  in  Limited  Rollover 
Disruptions  (GAO/T-AIMD-OO-TO,  January  27, 2000). 

Year  2000  Computing  Challenge:  Lessons  Learned  Can  Be  Applied  to  Other  Management 
Challenges  (GAO/AIMD-00-290.  September  12, 2000). 
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expediting  Year  2000  efforts  required  many  of  them  to  quickly  gain  an 
understanding  of  their  agencies’  systems,  work  extensively  with  agency 
program  managers  and  CFOs,  and  become  familiar  with  budgeting  and 
financial  management  practices.  Addressing  these  issues,  in  turn,  provided 
them  with  real-time  experience  in  responding  to  far-reaching  management 
problems  and  in  finding  solutions.  These  experiences  could  prove  valuable 
to  resolving  the  systems  issues  impeding  compliance  with  FFMIA. 


Conclusions  Long-standing  problems  with  agencies’  financial  systems  make  it  difficult 

for  the  agencies  to  produce  reliable,  useful,  and  timely  financial 
information  and  hold  managers  accountable.  Federal  managers  need  this 
important  information  for  formulating  budgets,  managing  government 
programs,  and  making  difficult  policy  choices.  The  extraordinary  efforts 
that  many  agencies  go  through  to  produce  auditable  financial  statements 
are  not  sustainable  in  the  long  term.  These  efforts  use  significant  resources 
that  could  and  should  be  used  for  other  important  financial-related  work. 
For  these  reasons,  the  widespread  systems  problems  facing  the  federal 
government  need  top  management  attention.  We  learned  from  the  Year 
2000  experience  that  proactive  leadership  at  the  highest  levels  of 
government  is  one  of  the  most  important  factors  in  prompting  attention 
and  action  on  a  widespread  problem. 

The  federal  government’s  size  and  complexity  and  the  discipline  needed  to 
overhaul  or  replace  its  financial  management  systems  present  a  significant 
challenge — not  simply  a  challenge  to  overcome  a  technical  glitch,  but  a 
demanding  management  challenge  that  requires  attention  from  the  highest 
levels  of  government.  We  recognize  that  it  will  take  time,  investment,  and 
sustained  emphasis  on  correcting  deficiencies  to  improve  federal  financial 
management  systems  to  the  level  required  by  FFMIA  and  to  effectively 
manage  government  funds.  The  significance  of  the  issues  facing  agencies, 
now  and  in  the  future,  emphasizes  the  need  for  detailed  remediation  plans. 
As  envisioned  by  the  act,  these  remediation  plans  would  help  agencies 
establish  seamless  systems  and  processes  to  routinely  generate  reliable, 
useful,  and  timely  information  that  would  improve  agencies’  accountability 
and  help  them  to  meet  the  statutoiy  deadline  for  issuing  audited  financial 
statements. 

Because  OMB’s  approach  for  reviewing  agencies’  remediation  plans  is  new, 
we  cannot  yet  determine  whether  it  will  be  successful.  As  part  of  oxir  next 
annual  review  of  FFMIA  compliance,  we  will  evaluate  whether  this  new 
approach  fully  addressed  our  recommendation  in  our  prior  report 
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regarding  OMB’s  role  related  to  ensuring  the  adequacy  of  agencies’ 
remediation  plans. 

Also,  until  all  24  CFO  Act  agencies  can  meet  the  statutory  deadline  for 
issuing  audited  financial  statements,  0MB  and  agencies’  efforts  must 
continue.  Therefore,  we  reaffirm  the  recommendation  we  made  in  our  prior 
report  that  the  Director  of  0MB  require  the  Deputy  Director  for 
Management  to  work  with  the  agencies  to  ensure  that  the  agencies’ 
financial  statements  are  audited  and  issued  by  the  March  1  statutory 
deadline.  With  concerted  effort,  including  attention  from  top  agency 
management  and  the  Congress,  the  federal  government  can  improve  its 
financial  management  systems  and  thus  achieve  the  goals  of  the  CFO  Act 
and  provide  accountability  to  the  nation’s  taxpayers. 


Agency  Comments  and 
Our  Evaluation 


In  comments  on  a  draft  of  this  report,  0MB  stated  that  it  concurs  with 
FFMIA’s  compliance  requirements,  but  believes  our  report  does  not  give 
credit  for  progress  made  or  improvement  efforts  underway  by  agencies. 
0MB  also  expressed  concern  that,  as  currently  written  in  0MB  guidance, 
compliance  requirements  were  black  and  white — meaning  an  agency  was 
either  compliant  or  not  compliant.  0MB  stated  that  such  an  approach  does 
not  measure  the  progress  many  agencies  are  making  in  one  or  more  of  the 
three  compliance  areas — federal  financial  management  systems 
requirements,  applicable  federal  accounting  standards,  and  the  SGL  at  the 
transaction  level.  We  agree  with  OMB’s  comment  that  it  is  important  to 
measure  progress  toward  improvement  and  acknowledge  that  the  agencies 
are  moving  in  the  right  direction.  Accordingly,  our  report  states  that 
agencies  are  slowly  making  progress  towards  compliance  with  FFMIA’s 
requirements.  While  FFMIA  requires  reporting  on  whether  or  not  an 
agency’s  systems  comply  with  the  act’s  requirements,  a  number  of  avenues 
exist  for  reporting  progress.  We  plan  to  work  with  0MB  to  enhance  the 
reporting  by  agencies,  auditors,  and  0MB  on  progress  made  in  achieving 
compliance  with  FFMIA. 


In  its  comments,  0MB  also  discussed  the  applicability  of  information 
security  requirements  in  assessing  compliance  with  FFMIA.  0MB  stated 
that  some  problems  relating  to  systems  security  must  be  addressed  at  a 
departmentwide  level  by  the  Chief  Information  Officer.  0MB  stated  that 
many  of  the  problems  with  information  security  that  we  highlighted  in  the 
report  are  in  mixed  or  enterprise  systems  well  beyond  the  influence  of  the 
CFO.  We  agree  that  information  security  is  an  agencywide  responsibility, 
not  limited  to  efforts  directly  under  the  purview  of  the  agency  CFO, 


Page  43 


GAO/AIMD-00  307  FFMIA  Results  for  Fiscal  Year  1999 


B-286104 


However,  it  is  important  to  recognize  that  FFMIA  not  only  applies  to 
financial  systems,  but  also  to  the  financial  portion  of  mixed  systems.  To  the 
extent  the  financial  and  non-financial  portions  of  mixed  systems  cannot  be 
separated  for  purposes  of  information  security  controls,  the  mixed  systems 
in  their  entirety  necessarily  are  subject  to  FFMIA.  Further,  nothing  in 
FFMIA  limits  its  application  to  systems  within  the  influence  of  the  agency 
CFO.  Rather,  FFMIA  refers  only  to  agency  systems  and  vests  ultimate 
responsibility  in  the  agency  head  for  determining  whether  agency  systems 
comply  with  FFMIA  requirements  and  for  establishing  remediation  plans. 
Therefore,  we  continue  to  believe  that  when  reviewing  financial 
management  systems  for  compliance  with  FFMIA,  security  controls  over 
financial  and  mixed  systems  would  appropriately  be  included. 

0MB  also  had  numerous  other  comments  that  we  incorporated  into  the 
report  as  appropriate.  Appendix  I  includes  OMB’s  comments  and  our 
responses. 


We  are  sending  copies  of  this  report  to  Senator  George  V.  Voinovich, 
Chairman,  and  Senator  Richard  J.  Durbin,  Ranking  Minority  Member, 
Subcommittee  on  Oversight  of  Government  Management,  Restructuring, 
and  the  District  of  Columbia,  Senate  Committee  on  Governmental  Affairs; 
and  to  Representative  Stephen  Horn,  Chairman,  and  Representative  Jim 
Turner,  Ranking  Minority  Member,  Subcommittee  on  Government 
Management,  Information  and  Technology,  House  Committee  on 
Government  Reform.  We  are  also  sending  copies  to  the  Honorable  Jacob  J. 
Lew,  Director  of  the  Office  of  Management  and  Budget;  the  Honorable 
Lawrence  H.  Summers,  Secretary  of  the  Treasury;  the  heads  of  the  24  CFO 
Act  agencies;  and  agency  CFOs  and  IGs.  Copies  will  also  be  made  available 
to  others  upon  request. 
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This  report  was  prepared  under  the  direction  of  Gloria  L.  Jarmon,  Director, 
Health,  Education,  and  Human  Services  Accounting  and  Financial 
Management  Issues,  who  may  be  reached  at  (202)  512-4476  or  by  e-mail  at 
Jarmong.aimd@gao.gov  if  you  have  any  questions.  Key  contributors  to  this 
assignment  were  Kay  Daly,  Diane  Morris,  Sandra  Silzer,  and  Meg  Mills. 


David  M.  Walker 
Comptroller  General 
of  the  United  States 
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Note:  GAO  comments 
supplementing  those  in  the 
report  text  appear  at  the  end 
of  this  appendix. 


See  comment  1 . 


OFFICE  OF  FEDERAL 
FINANCIAL  MANAGEMENT 


EXECUTIVE  OFFICE  OF  THE  PRESIDENT 
OFFICE  OF  MANAGEMENT  AND  BUDGET 

WASHINGTON,  D.  C.  20503 


Mr.  Jeffrey  C.  SteinhofF  SEP  2  1  2000 

Assistant  ComptroHer  General 

U.  S.  General  Accounting  Office 

441  G.  Street  NW 

Washington,  DC  20548 

Dear  Mr. 

for  the  opportunity  to  review  the  draft  report  “Federal  Financial  Management 
Improvement; AcjRcsults  (FFMIA)  for  Fiscal  Year  1999.“ 

As  we  discussed  on  September  13th,  I  believe  we  share  a  common  goal  to  improve  Federal 
financial  management  by  building  and  maintaining  financial  systems  that  comply  with  the  FFMIA. 
Specifically,  the  law  requires  systems  should  substantially  comply  with:  (1)  Federal  financial 
management  S5Gtems  requirements,  (2)  applicable  Federal  accounting  stan^ds,  and  (3)  die  United 
States  Standard  General  Ledger  at  the  transaction  level. 

At  this  point  in  time,  I  believe  it  is  important  to  measure  progress  toward  improvement  and 
acknowledge  that  the  agencies  are  moving  steadily  in  the  right  direction.  At  our  meeting,  I 
expressed  my  concern  that,  as  currently  written  in  OMB’s  guidance,  compliance  requirements  were 
black  and  white-an  agency  was  either  compliant  or  not  compliant.  Such  an  approach  does  not 
measure  the  progress  many  agencies,  and  more  specifically  major  components  of  agencies,  are 
making  in  one  or  more  of  the  three  compliance  areas.  We  agreed  that  ihe  improvements  necessary  to 
bring  systems  into  compliance  have  a  lengthy  time  firame. 

I  concur  with  FFMIA's  compliance  requirements;  but  I  would  like  to  see  some 
acknowledgment  that  agencies  are  making  progress.  As  it  reads  now,  the  report  is  very  negative  and 
does  not  give  any  credit  for  either  progress  made  by  agencies  or  current  improvement  efforts 
underway.  Also,  die  report  highli^ts  numerous  non-FFMIA  problems  with  information  security, 
some  in  financial  management  systems  that  are  FFMIA,  but  many  in  mixed  or  enterprise  systems 
well  beyond  die  influence  of  the  Chief  Financial  Officer.  As  we  discussed  at  our  meeting  last 
Wednesday,  we  must  stay  focused  on  financial  systems  security,  recognizing  that  some  problems 
must  be  addressed  at  a  department  wide  level  by  the  Chief  Information  Officer  and  not  on  an 
individual  system  approach. 


Thank  you  for  considering  my  views.  Please  feel  free  to  call  me  on  (202)  395-3993  if  you 
would  like  to  tfiscuss  this  issue  further.  Specific  comments  are  provided  in  the  enclosure  to  this  ' 
letter. 


Enclosure 


So^pfr'LKull 

p^uty  Controller 
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See  comment  2. 

Now  on  pp.  4  and  38. 


See  comment  3. 
Now  on  p.  11. 


See  comment  4. 
Now  on  p.  1 1 . 

See  comment  5. 

Now  on  p.  14. 


See  comment  6. 
Nowon  p.  15. 


See  comment  7. 
Now  on  pp.  16-17. 


Comments 

“Federal  Financial  Management  Improvement  Act  Results  for  Fiscal  Year  1999” 
(presented  by  draft  page  number) 

1 .  Pages  5  and  48  contain  a  discussion  of  0MB ’s  process  for  reviewing  remediation  plans  and 
states  that  the  approach  being  used  will  begin  with  the  FY  1999  plans.  The  discussion  should 
mention  that  any  remediation  activities  underway  at  agencies  previously  reported  to  0MB 
are  being  considered  in  this  process  and  have  been  the  basis  of  our  discussions  with  agencies 
on  FFMIA  compliance.  The  approach  is  not  limited  to  those  being  activities  being  reported 
in  the  FY  1999  plans 

2.  Page  12  states  “AAPC’s  efforts  result  in  authoritative  guidance  for  preparers  and  auditors  of . 
. .”  We  recommend  substituting  the  word  “authoritative”  with  “implementation.”  While 
AAPC  documents  now  become  part  of  the  Federal  GAAP  hierarchy  for  accounting  matters, 
AAPC  documents  are  not  necessarily  authoritative  for  audit  matters.  The  authoritative  nature 
of  AAPC  documents  is  being  deliberated  currently.  The  suggested  edit  should  address  this 
matter  for  purposes  of  this  report. 

3.  Page  13  presents  Table  three  containing  a  column  titled  “Release  date.”  “AAPC  Release 
Date”  would  be  a  more  accurate  title  since  TR-3  and  TR-4  have  been  issued  by  AAPC  but 
have  not  been  issued  by  0MB. 

4.  Page  17  stales  “This  continuing  widespread  noncompliance  with  FFMIA  is  indicative  of  the 
overall  longstanding  poor  condition  of  agency  financial  systems.”  The  statement  is  factually 
true  as  to  the  noncompliance  with  FFMIA  however  it  does  not  recognize  that  progress  has 
been  made  to  correct  problems  within  the  individual  agency  systems.  Interim  steps  towards 
progress  in  correcting  longstanding  system  problems  cannot  be  show  since  the  agency’s 
FFMIA  detennination  shows  overall  agency,  not  individual  system,  compliance.  Credit 
should  be  given  to  the  efforts  of  agencies  to  improve  their  systems. 

5.  Page  17  also  states  “Fifteen  of  the  24  CFO  Act  agencies  received  unqualified  audit  opinions 
on  their  financial  statements  for  fiscal  year  1999,  up  from  12  in  fiscal  year  1998  and  1 1  in 
fiscal  year  1997.  Yet  FFMIA  noncompliance  has  been  fairly  consistent  since  fiscal  year  1997 
when  the  systems  of  20  of  the  24  CFO  Act  agencies  were  reported  to  be  noncompliant.” 
Based  upon  the  discussion  in  this  report  on  agencies  using  “heroic  efforts”  to  produce 
financial  statements  it  appears  a  correlation  between  clean  opinions  and  FFMIA  compliance 
cannot  be  drawn.  Some  consideration  should  be  given  to  the  fact  that  improved  systems  may 
have  assisted  in  providing  better  and  more  timely  financial  statement  information  even  if  an 
agency  is  not  in  overall  compliance  with  FFMIA. 

6.  Pages  18-20  present  Table  four.  We  suggest  the  following  changes: 
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See  comment  7. 
See  comment  8. 


See  comment  9. 
Nowon  p.  17. 


See  comment  10. 
Nowon  p.  18. 


See  comment  1 1 . 
Nowon  pp.  19  and  20. 


See  comment  12. 


See  comment  13. 

Now  on  pp.  21  and  23. 


•  add  a  column  showing  the  agency  head’s  detennination  of  substantial  compliance  with 
FFMIA  since  this  is  the  key  detennination  required  by  the  law. 

•  recognize  Education  as  receiving  a  qualified  opinion  in  the  chart  totals 

•  show  a  disclaimer  audit  opinion  for  the  financial  statements  of  0PM 

The  changes  to  include  Education  as  a  qualified  opinion  and  0PM  as  a  disclaimer  2 will 
reconcile  the  1999  actual  results  reported  by  the  Administration  with  the  results  included  in 
this  report.  We  believe  it  is  most  helpful  to  consistently  report  this  information,  imless  we 
have  substantive  difference  (which  is  not  the  case  in  this  situation). 

7.  Page  20  states  ‘Tinancial  statement  audit  results  are  key  indicators  of  the  quality  of  agency 
financial  data  at  year-end  and  provide  an  annual  public  scorecard  on  accountability.'*  There 
are  other  key  indicators  of  quality  financial  data  such  as  the  ability  to  provide  financial  data 
to  program  managers  that  is  timely  and  useful  Financial  statements,  not  their  audits,  provide 
accountability  to  the  public.  We  suggest  revising  this  sentence  to  state,  'Financial  statements 
demonstrate  agency  accountability  to  the  public.” 

8.  Page  21  states  “The  results  shown  in  table  4  indicate  that,  although  auditors  reported  that  the 
financial  statements  of  15  of  the  24  CFO  Act  agencies  were  fairly  presented  and  reliable  at 
the  end  of  the  fiscal  year,  the  financial  systems  of  21  of  the  24  agencies  have  weaknesses, 
some  of  which  are  so  serious  that  they  are  not  able  to  routinely  provide  reliable,  useful,  and 
timely  information  on  an  ongoing  basis.”  The  basis  for  drawing  this  conclusion  should  be 
explained  in  the  report. 

9.  Page  23  discusses  the  information  on  Table  5.  The  narrative  should  mention  that  the  agency 
heads  of  three  additional  agencies  disagreed  with  their  auditors  on  FFMIA  compliance.  In 
addition  Table  5,  shown  on  page  24  should  be  organized  to  show  the  three  areas  of  the  law: 
systems  requirements,  applicable  Federal  accounting  standards,  and  SOL  compliance.  The 
columns  now  used  for  system  integration,  reconciliation  procedures,  and  security  do  not 
cover  the  scope  of  system  requirements  that  must  be  satisfied  for  FFMIA  compliance.  Should 
additional  breakouts  of  specific  system  requirements  be  presented  they  should  be  shown  as 
subsets  of  the  system  requirements. 

Also,  the  table  should  be  revised  to  show  the  following: 

•  Non-compliance  with  the  SGL  for  NRC  as  they  reported  their  program  cost  accounting  is 
not  performed  through  the  general  ledger  due  to  SGL  problems. 

•  Compliance  with  the  SGL  for  Justice  nor  EPA  as  findings  for  this  area  was  not  cited  in 
the  auditor’s  reports. 

10.  Page  25  has  a  separate  section  discussing  nonintegrated  financial  management  systems. 

Page  28  has  an  additional  section  discussing  reconciliations.  These  are  only  two  of  the  many 
examples  of  system  requirements.  Consideration  should  be  given  to  presenting  system 
requirements  in  a  single  section  titled  as  such.  The  current  presentation  might  lead  a  reader 
to  believe  other  system  requirements  are  less  significant. 
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See  comment  14. 
Now  on  p.  27. 


Nowon  p.  27. 

See  comment  15. 

Now  on  pp.  28  and  20. 

See  comment  16. 

Now  on  p.  30. 


See  comment  17. 
Now  on  p.  30. 


See  comment  18. 
Now  on  p.  33. 


See  comment  19. 

Now  on  pp.  36,  4,  and  37. 


1 1 .  Page  33  contains  a  discussion  of  infonnation  security  weaknesses.  This  discussion  should 
highlight  that  most  of  the  weaknesses  cited  resulted  from  problems  with  an  agency’s  overall 
information  security  infrastructure  and  impacting  all  agency  information  technology  systems. 
The  report  should  put  the  problem  in  perspective  and  state  that  these  problems  must  be 
addressed  on  an  agency  wide  basis,  but  not  within  the  scope  of  individual  financial 
management  systems  covered  by  FFMIA.  Page  34  cites  specific  security  problems  such  as 
access  to  personal  medical  infonnation.  Examples  such  as  these  show  the  problems  to  be 
programmatic  and  beyond  the  scope  of  financial  management  systems. 

12.  Page  35  discusses  information  systems  security  problems  reported  by  auditors  at  20  agencies. 
This  amount  is  inconsistent  with  Table  5  on  page  24  that  shows  21  agencies. 

13.  Page  38  states  “According  to  0MB,  if  a  disagreement  cannot  be  resolved  within  the  agency, 
file  agency  head  is  to  send  a  formal  letter  stating  the  disagreement  and  requesting  that  the 
Director  of  0MB  make  a  decision.”  This  statement  is  not  completely  accurate.  A  more 
accurate  statement  is  “According  to  0MB,  if  there  is  a  disagreement  between  management 
and  the  auditors,  agencies  can  contact  0MB  and  it  will  woric  with  them  on  the  issue.” 
Agencies  do  not  need  to  send  a  formal  letter  to  request  0MB  assistance.  Since  the  passage  of 
FFMIA,  0MB  has  met  with  agency  managCTs  and  auditors  to  discuss  these  situations. 
However,  formal  letters  are  required  when  the  agency  disagrees  with  the  auditor’s 
determinations.  This  notification  is  usually  incorporated  in  the  financial  statement 
transmittals  to  0MB.  0MB  was  notified  by  the  three  agencies  identified  in  this  report  as 
being  in  disagreement  with  their  auditor’s  findings. 

14.  Page  38  also  states  “According  to  the  0MB  officials,  as  long  as  the  agencies  recognize  ^eir 
problems  and  arc  addressing  them,  then  0MB  will  not  require  a  separate  FFMIA  remediation 
plan.”  This  statement  applies  to  agencies  in  substantial  compliance  with  FFMIA  as  the  law 
does  not  require  a  plan  from  those  agencies.  Agencies  in  compliance  with  FFMIA  are 
directed  to  address  system  weaknesses  in  their  financial  management  improvement  plans 
through  the  guidance  provided  in  Section  52.4(3)  of  0MB  Circular  A-ll.  This  should  be 
clarified  in  the  report. 

15.  Page  41  provides  a  discussion  of  the  elements  of  remediation  plans  including  resource 
requirements.  0MB  views  the  resource  infonnation  agencies  provide  in  their  capital  asset 
plan  exhibits  and  information  technology  portfolios  as  satisfying  this  requirement.  In  0MB ’s 
^>proach  to  reviewing  remediation  plans  we  consider  the  whole  IT  capital  plan  that  includes 
capital  asset  plans,  information  technology  portfolios,  financial  management  plans,  and  other 
related  documents. 

16.  Page  45  refers  to  implementing  the  firework  in  Clinger-Cohen  to  ensure  that  IT  dollars  are 
directed  towards  prudent  investments.  The  approach  mentioned  on  pages  5  and  47  used  by 
0MB  for  monitoring  agency  FFMIA  remediation  activities  is  the  same  as  the  process  used  by 
0MB  to  review  an  agency’s  information  technology  capital  asset  planning  process.  This 
process  links  FFMIA  remediation  activities  with  the  framework  prescribed  in  Clinger-Cohen. 
This  link  should  be  highlighted  in  the  report  so  that  agencies  recognize  that  financial 


Page  49 


GAO/AIMD-00  307  FFMIA  Results  for  Fiscal  Year  1999 


Appendix  I 

Comments  From  the  Office  of  Management 
and  Budget 


See  comment  20. 
Now  on  p.  37. 


See  comment  21. 
Now  on  p.  38. 

Now  on  p.  40. 

See  comment  22. 
Now  on  p.  40. 


management  system  investments  required  for  FFMIA  remediation  activities  are  part  of  the 
agency  IT  capital  asset  plan, 

17.  Page  46  states,  *^SpecificaIly,  0MB  provides  (1)  guidance  and  assistance  to  agencies  related 
to  preparing  remediation  plans  and  (2)  FFMIA  audit  guidance  for  agency  auditors.’*  This 
statement  would  be  more  accurate  by  stating,  ‘‘Specifically,  0MB  provides  (1)  guidance  and 
assistance  to  agencies  related  to  preparing  remediation  plans,  (2)  FFMIA  implementation 
guidance,  and  (3)  audit  requirements  for  financial  statements  including  those  for  auditor 
reporting  prescribed  by  FFMIA. 

1 8.  Page  49  states  “Also,  FFMIA  compliance  guidance  is  contained  in  an  exposure  draft  of  a 
review  guide  issued  by  JFMIP  and  the  CFO  Council  and  in  checklists  that  we  have 
published.”  0MB  provides  implementation  guidance  for  FFMIA.  The  document  JFMIP  is 
prqparing,  the  “Systems  Compliance  Review  Guide”,  as  well  as  the  GAO  checklists  are  tools 
available  for  reviewers  to  use  in  assessing  compliance.  They  should  not  be  considered 
guidance  because  they  do  not  establish  policy  or  requirements  agencies  must  follow.  The 
reference  to  guidance  also  should  be  correct^  in  the  section  starting  on  page  50. 

19.  Page  50  states,  “As  of  August  2000,  a  revised  version  of  the  exposure  draft  was  pending 
issuance  while  awaiting  comments  from  0MB  and  the  Department  of  Treasury.”  If  0MB 
and  the  Department  of  Treasury  have  comments  at  this  point  in  the  review  process  they 
identify  problems  with  the  exposure  draft  and  not  a  mere  sign-off  of  a  final  product.  This 
statement  should  be  revised  to  indicate  the  systems  compliance  review  guide  is  being  revised 
to  incorporate  the  final  comments  of  the  JFMIP  Steering  Committee. 
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The  following  are  GAO’s  comments  on  the  Office  of  Management  and 
Budget’s  September  21,  2000,  letter. 


GAO  Comments 


1.  See  “Agency  Comments  and  Our  Evaluation”  section. 

2.  The  report  was  revised  to  address  0MB  s  comment. 

3.  The  report  was  revised  to  address  0MB  s  comment. 

4.  The  report  was  revised  to  address  OMB’s  comment. 

5.  See  “Agency  Comments  and  Our  Evaluation”  section. 

6.  We  disagree  that  a  correlation  between  clean  opinions  and  FFMIA 
compliance  cannot  be  drawn.  The  report  is  intended  to  convey  the 
message  that  some  agencies  had  to  use  “heroic  efforts”  to  produce 
financial  statements  because  their  systems  could  not  produce  them. 
One  of  the  reasons  the  systems  could  not  produce  the  financial 
statements  is  because  they  do  not  comply  with  FFMIA’s  requirements. 

7.  The  main  source  for  this  section  of  the  report  is  agency  audit  reports. 
Therefore,  table  4  summarizes  auditors’  FFMIA  determinations  and 
financial  statement  opinions.  To  address  this  concern,  we  added  a  note 
to  the  table  that  discusses  determinations  made  by  agency 
management.  We  also  discuss  the  agencies  that  disagreed  with  their 
auditors’  FFMIA  determinations  in  footnote  18  on  page  14  and  in  the 
remediation  plans  section  on  page  30. 

8.  The  report  was  revised  to  address  OMB’s  comments. 

9.  We  agree  that  the  ability  to  provide  financial  data  to  program  managers 
that  is  timely  and  useful  is  a  key  indicator  of  the  quality  of  financial 
data.  This  is  the  end  game  that  we  discuss  in  our  report.  At  the  same 
time,  we  do  not  agree  that  results  of  financial  statement  audits  do  not 
provide  a  measure  of  accountability  to  the  public.  Audit  results  show 
whether  the  information  in  the  financial  statements  is  reliable  and  fairly 
presented.  Audit  results  have  been  one  of  the  key  indicators  for  both 
government  and  private  industry  to  provide  accountability. 

10.  Language  was  added  to  the  report  to  show  that  the  basis  for  this 
conclusion  is  discussed  in  the  sections  that  follow. 
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11.  The  purpose  of  table  5  is  to  show  the  most  commonly  reported 
problems  relevant  to  FFMIA,  as  explained  in  the  paragraph  preceding 
the  table.  As  discussed  in  the  text,  this  table  covers  more  than  specific 
reasons  for  noncompliance  with  FFMIA,  so  a  discussion  of  agencies’ 
FFMIA  determinations  is  not  appropriate  here.  Table  4  shows  the  three 
requirements  in  the  law — systems  requirements,  applicable  federal 
accounting  standards,  and  SGL  compliance — and  what  auditors 
reported  regarding  these  three  areas. 

12.  The  changes  suggested  by  0MB  in  its  comments  illustrate  the  need  to 
clarify  guidance  to  auditors  for  reporting  on  compliance  with  FFMIA. 
We  note  that  OMB’s  recently  proposed  revisions  to  the  audit  guidance 
in  Bulletin  98-08  should  help  to  do  this. 

We  have  revised  tables  4  and  5  to  show  that  NRC  experienced 
difficulties  complying  with  the  SGL  requirements  of  FFMIA.  We  agree 
that  the  consolidated  audit  report  for  the  Department  of  Justice  did  not 
specifically  mention  noncompliance  with  the  SGL.  However,  the 
consolidated  audit  report  referred  to  component  audit  reports.  The 
auditors  of  the  Immigration  and  Naturalization  Service  (INS),  a  major 
component  of  the  Department  of  Justice,  cited  noncompliance  with  the 
SGL  in  the  INS’  audit  report;  therefore,  we  included  this  as  a  problem 
reported  by  auditors  (table  5).  Regarding  the  Environmental  Protection 
Agency  (EPA),  the  audit  report  stated  that,  in  most  cases,  EPA  could 
not  report  its  intragovernmental  assets  and  liabilities  by  trading  partner 
because  finance  offices  were  not  coding  transactions  to  show  this 
information.  We  interpret  this  as  a  SGL  noncompliance  issue  because 
reporting  intragovernmental  transactions  by  trading  partner  is  an  SGL 
requirement. 

13.  We  did  not  intend  to  imply  that  other  systems  requirements  are  less 
significant.  Our  intention  was  to  highlight  major  areas  needing 
attention  that  were  most  often  cited  by  auditors. 

14.  See  “Agency  Comments  and  Our  Evaluation”  section. 

15.  The  report  was  revised  to  address  OMB’s  comment. 

16.  The  report  was  revised  to  address  OMB’s  comment. 

17.  The  report  was  revised  to  address  OMB’s  comment. 
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18.  We  reviewed  fiscal  year  1998  remediation  plans  that  were  prepared 
before  0MB  adopted  this  new  approach  for  reviewing  the  plans.  Fiscal 
year  1999  remediation  plans  are  not  due  to  0MB,  and  therefore  will  not 
be  available,  until  December  2000.  We  believe  that  OMB’s  approach  to 
consider  the  whole  IT  capital  investment  plan  has  merit,  and  as  part  of 
our  work  for  next  year’s  report,  we  will  review  this  approach.  At  the 
same  time,  FFMIA  requires  that  remediation  plans  contain  resources, 
and  therefore,  elements  of  the  remediation  plan  that  are  included  in 
other  documents  should  be  referred  to  in  order  to  assist  the  plan’s  users 
and  fulfill  the  requirements  of  FFMIA.  The  fiscal  year  1998  remediation 
plans  we  reviewed  generally  did  not  refer  the  reader  to  IT  capital 
investment  plans  to  identify  resources  needed, 

19.  The  report  was  revised  to  address  OMB’s  comments. 

20.  The  report  was  revised  to  address  OMB’s  comments. 

21.  The  report  was  revised  to  address  OMB’s  comments. 

22.  The  report  was  revised  to  address  OMB’s  comments. 


(916337) 
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